Lancaster University students’ data stolen in ‘sophisticated and malicious’ attack

Large amount of personal data stolen in phishing attack

Lancaster University has been struck by a ‘sophisticated and malicious phishing attack’ affecting the data of students and applicants, the University revealed.

In a posting on its website, the University said it detected the breach on Friday and has reported the incident to law enforcement agencies, that are working with them to identify the perpetrators.

The applicants affected are undergraduate students applying to the University for entry in 2019 and 2020.

Personal data, including names, addresses, telephone numbers and email addresses have been breached, which the attackers have exploited to send fraudulent invoices, but the University has not disclosed the number of applicants affected.

The other breach targeted Lancaster’s student records system. The University said attackers have managed to access some education records and ID documents belonging to current students but that it is only aware of “very small number” who have been affected.

Tried and tested

Richard Cassidy, senior director of strategy at SIEM provider Exabeam, said while the attack was targeted, it was ‘by no means sophisticated’.

“The techniques used are a “tried and tested” favourite of almost all cyber criminal (and nation state) groups,” Cassidy said.

“Many Universities targeted by pervious campaigns (especially those that were linked to nation state groups in 2018) run GCHQ approved cyber security BSc/MSc’s. Speculation is always a delicate game, but if we consider the TTPs (techniques, tactics and procedures) of nation state groups, it could be part of a much wider mission to gain insights that would better serve more sophisticated malware and targeted attacks in future.”

Per GDPR regulations, the University said it contacted the ICO as soon as it became aware of the breach, and that it has taken measures to improve the security of its systems.

“Since Friday we have focused on safeguarding our IT systems and identifying and advising students and applicants who have been affected,” the University said.

“This work of our incident team is ongoing as is the investigation by law enforcement agencies.”

Cassidy added that to help avoid further attacks in the future, organisations need to educate their employees about phishing attacks.

“Users need to be taught how to remain vigilant and to apply the “if in doubt, there is no doubt” rule in reporting suspicious communication – be it via e-mail, social media or other,” he said.

Lancaster University has advised applicants, students and staff to contact them if they receive any suspicious communications via email, [email protected] or phone: 01524 51004.