Phishing attack: Students' personal information stolen in university data breach

University says it has fallen victim to a "a sophisticated and malicious phishing attack" -- and students are being warned to look out for suspicious emails.
Written by Danny Palmer, Senior Writer

Hackers have stolen personal data of prospective and current students at Lancaster University after gaining access to databases that contained personal information -- with victims now the targets of additional cyberattacks.

Names, addresses, telephone numbers, and email addresses have been compromised by cyberattackers who gained unauthorised entry to undergraduate students' application records for 2019 and 2020. The university has over 13,000 students, but there's currently no figure on the number of people who have been caught up in the attack.

Hackers also breached the student records system, gaining access to ID documents of what the university described as a "very small" number of students.

Some undergraduate applicants have been targeted with phishing emails containing fraudulent invoices and the university has warned potential victims to be aware of "suspicious approaches".

Lancaster became aware of the breach on Friday 19 July and set up an incident response team to investigate, as well as "immediately" reporting the breach to Information Commissioner's Office -- as required under General Data Protection Legislation (GDPR). 

"The University of Lancaster has reported an incident to us and we will assess the information provided," an ICO spokesperson told ZDNet.

The National Cyber Security Centre has also been informed of the attack. "We are aware of an incident affecting Lancaster University and are supporting law enforcement colleagues with their investigation," said an NCSC spokesperson.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)    

The university has described the incident as "a sophisticated and malicious phishing attack which has resulted in breaches of student and applicant data".

A statement from Lancaster University says since the incident came to light, it has focused on safeguarding its IT systems and is identifying and advising those who have been affected. The university has also provided a helpline for those who think they've been targeted by suspicious emails.

A Lancaster University spokesperson told ZDNet it couldn't reveal any more information about the attack due to the ongoing investigation. 

Universities are a regular target for phishing attacks, with cybercriminals attempting to dupe both students and staff into giving up personal data, login credentials, and other information.


Editorial standards