Lancaster University, which offers a GCHQ accredited cyber-security course and has its own Cyber Security Research Centre has been hit by what it has described as a “sophisticated and malicious phishing attack”, resulting in the leak of the personal data of new university applicants.
On the University’s website, even though it states that only “a very small number of students” actually had their records and ID documents accessed as a result of the attack, other estimates published by IT news commentators online, and based on statistics compiled by UCAS suggest that possibly over 12,000 people may have been affected.
The attack appears to have been focused on the new student applicant data records for 2019 and 2020.
According to the university, the new applicant information which may have been accessed includes names, addresses, telephone numbers, and email addresses.
There have also been reports that, following the attack, fraudulent invoices have been sent to some undergraduate applicants.
Although very little information has been divulged about the exact nature of the attack, universities are known to be particularly attractive targets for phishing emails i.e. emails designed to trick the recipient into clicking on malicious links or transferring funds. This is because educational institutions tend to have large numbers of users spread across many different departments, different facilities and faculties, and data is moved between these, thereby making admin and IT security very complicated. Also, universities have a lot of valuable intellectual property as well as student and staff personal data within their systems which are tempting targets for hackers.
Lancaster University says that it became aware of the breach on Friday 19th July, whereupon it established an incident team to handle the situation and immediately reported the incident to the Information Commissioner’s Office (ICO).
A criminal investigation led by the National Crime Agency’s (NCA) National Cyber Crime Unit (NCU) is now believed to be under way, and the university has been focusing efforts on safeguarding its IT systems and identifying and advising any students and applicants who have been affected.
US Universities & Colleges Hit Days Before
Just days before the attack on Lancaster University came to light, The U.S. Department of Education reported that a vulnerability in the Ellucian Banner System authentication software led to 62 colleges or universities being been affected.
What Does This Mean For Your Business?
For reasons already mentioned (see the ‘Why?’ section), schools, colleges and universities are prime targets for hackers, and this is why many IT and security commentators think that the higher education sector should be looking to take cyber-security risks very seriously, and make sure that training and software are put in place to enable a more proactive approach to attack prevention. Users, both students and staff, need to be educated about threats, and how to spot and what to do with suspicious communications by email or social media. Students, for example, need to be aware that during summer months when they are more stressed, and when they are awaiting news of applications they may be more vulnerable to phishing attacks, and that they should only contact universities through a trusted, previously tried method, and not rely upon the contact information and links given in emails.
For Lancaster University, which has its own Cyber Security Research Centre and offers a GCHQ approved cybersecurity course, this attack, which has generated some bad publicity and may adversely affect some victims, is likely to be very embarrassing and may even deter some future applicants.
Lancaster University has advised applicants, students and staff to make contact (via email or phone) If they receive any suspicious communications.