Lancaster University Admits ‘Sophisticated Phishing Attack’

Lancaster University has admitted it has been hacked in a cyber-attack that has impacted both student and applicant data.

The north west University announced that the ‘sophisticated and malicious phishing attack’ has compromised name, address, telephone number, and email address, and that in some case “fraudulent invoices are being sent to some undergraduate applicants.”

In April this year the cyber defences of British universities was called into question after ethical hackers quickly overcame them.

Lancaster attack

Under penetration testing, Jisc – the UK provider of ICT services for the education sector, said there was a 100 percent track record of gaining access to high-value data within two hours.

And now months later Lancaster University cyber defences have been found wanting.

“Lancaster University has been subject to a sophisticated and malicious phishing attack which has resulted in breaches of student and applicant data,” said the university. “The matter has been reported to law enforcement agencies and we are now working closely with them.”

It said that there had been two breaches of data. The first breach concerned undergraduate student applicant data records for 2019 and 2020 entry. This includes information such as name, address, telephone number, and email address.

“We are aware that fraudulent invoices are being sent to some undergraduate applicants,” said the university. “We have alerted applicants to be aware of any suspicious approaches.”

The second breach impacted the university’s student records system.

“At the present time we know of a very small number of students who have had their record and ID documents accessed,” it said.

The university said that it acted as soon as it became aware that Lancaster was the source of the breach on Friday and established an incident team to handle the situation. The breach was immediately reported to the Information Commissioner’s Office.

Industry viewpoint

Jisc warned last year that a spate of cyber attacks against universities and colleges in the UK was more than likely down to staff or students, rather than outside hackers.

And industry experts also added their own thoughts about attacks against universities.

“Across our customer base at Darktrace, universities receive the largest number of targeted phishing emails, which trick the recipient into clicking a malicious link or transferring funds,” said Max Heinemeyer, director of threat hunting at Darktrace.

“We are also seeing the early signs of attackers using artificial intelligence to ‘supercharge’ spoof emails – generating emails that are virtually indistinguishable from genuine ones from trusted contacts,” said Heinemeyer.

“We cannot expect the general public to become experts in cyber security and threats are constantly evolving,” he said. “In this new era of cyber threat, AI is being used to analyse emails for subtle anomalies, and then automatically intervene where an attacker is detected.”

Another expert agreed that these attacks are growing increasingly sophisticated.

“The news that students of Lancaster University have fallen victim to a cyberattack provide example of just how targeted cybercriminals are becoming in their hacking methods, and how any and all sectors are now at constant risk,” said Ed Macnair, CEO of Censornet.

“The attack happened through the ever persisting phishing method,” said Macnair. “In this case, fraudulent invoices were sent to a number of students who had applied to join the university in 2019 to 2020. This shows that, yet again, hacks do not have to be sophisticated to be successful, and that more often than not it simply comes down to hackers convincingly posing as a trusted contact for people to willingly give up their details.”

“Affected students should immediately change their passwords and ensure that they have unique passwords for each account they own,” he added. “This attack highlights how absolutely any organisation is now vulnerable to being hacked, so more vigilance, education, and sophisticated protection is required.”

Do you know all about security? Try our quiz!