Bradford man arrested over Lancaster University hacking spree

It is suspected the 25-year-old compromised student application records.

Two hours (or less) is what hackers needed to break into UK university networks Penetration testers testing university networks were able to use phishing emails to gain administrator access and access personal data, financial information and confidential research.

A British man has been arrested on suspicion of breaking into Lancaster University systems and stealing records belonging to students.

On Tuesday, ZDNet reported that the names, addresses, telephone numbers, and email addresses of students were involved in the data breach, which was discovered on 19 July. 

Lancaster University, a research-intensive establishment which often appears in the top ten in annual university guides, caters for approximately 13,000 students. The university does not know exactly how many students have been embroiled in the attack. 

See also: Equifax, regulators sign $700m deal to settle data breach lawsuits

The cyberattacker responsible was also able to access some identification documents. Lancaster University says the number of IDs impacted is "very small."

Lancaster University deemed the incident "a sophisticated and malicious phishing attack which has resulted in breaches of student and applicant data."

Fake invoices in phishing emails have also been sent to some students, which may indicate that the ransacking of university data was the first stepping stone into what could have become financial theft. 

CNET: John McAfee 'released from confinement'

According to the UK's National Crime Agency (NCA), a 25-year-old man from Bradford, West Yorkshire, has been arrested for potentially being involved in the cyberattack under the Computer Misuse Act (CMA) and suspicion of fraud.

Law enforcement officials from the NCA's National Cyber Crime Unit (NCCU) arrested the man on Monday and he has been released. An investigation is underway.

TechRepublic: Facebook data privacy scandal: A cheat sheet

The university has set up a response team and has begun notifying impacted students. 

Under the terms of the EU General Data Protection Legislation (GDPR), Lancaster University has also reported the data breach to the UK's Information Commissioner's Office (ICO). If the agency determines the cyberattack's success was due to lax security on Lancaster University's part, financial penalties may be issued. 

In April, an ethical hacking test in which 50 UK universities took part revealed that it can take as little as two hours to compromise a university network.

Earlier this month, the US Department of Education warned US universities of a swathe of cyberattacks being launched against universities through a vulnerability in an enterprise resource planning (ERP) web app. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0