Lancaster University has revealed that a successful phishing attack resulted in a data breach involving the data of its students and applicants.
On 22 July, the public research university announced on Twitter that it had suffered a "sophisticated and malicious phishing attack." This tweet linked to a security update published on the school's website.
In both its tweet and web statement, Lancaster University didn't provide any details about the phishing attack including how many employees opened the malicious email. But it did reveal how the successful attack resulted in two data breaches.
In the first security incident, digital attackers managed to access the undergraduate student applicant data for 2019 and 2020 including potential students' names, addresses, telephone numbers and email addresses. The school learned that digital criminals in turn used this stolen information to send fraudulent invoices to applicants. This prompted officials to reach out to students and warn them to be on the lookout for suspicious correspondence.
The second data breach was a comparatively smaller security incident that affected the institution's student records system. Those familiar with the breach said that digital attackers managed to access the records and ID documents of a small number of students. In response, they began reaching out to students to advise them of what to do.
Lancaster University clarified that its response to this phishing attack is still ongoing. As quoted in its web statement
We acted as soon as we became aware that Lancaster was the source of the breach on Friday and established an incident team to handle the situation. It was immediately reported to the Information Commissioner’s Office. Since Friday we have focused on safeguarding our IT systems and identifying and advising students and applicants who have been affected. This work of our incident team is ongoing as is the investigation by law enforcement agencies.
This isn't the first phishing scam that's targeted a UK university recently. In the middle of July, the University of Manchester
sent out an email in which it revealed that some of its international students had received fake invoices from fraudsters. These illegitimate bills attempted to trick recipients into paying for airport transfers, city tours and other services for which they had not asked.
Acknowledging these attacks, UK universities should take the lead against social attacks and educate their workforce to be on the lookout for phishing campaigns. They should begin by teaching their employees and staff about the most common types of phishing attacks