Lancaster University has revealed that a successful phishing attack resulted in a data breach involving the data of its students and applicants.

On 22 July, the public research university announced on Twitter that it had suffered a “sophisticated and malicious phishing attack.” This tweet linked to a security update published on the school’s website.

In both its tweet and web statement, Lancaster University didn’t provide any details about the phishing attack including how many employees opened the malicious email. But it did reveal how the successful attack resulted in two data breaches.

In the first security incident, digital attackers managed to access the undergraduate student applicant data for 2019 and 2020 including potential students’ names, addresses, telephone numbers and email addresses. The school learned that digital criminals in turn used this stolen information to send fraudulent invoices to applicants. This prompted officials to reach out to students and warn them to be on the lookout for suspicious correspondence.

The second data breach was a comparatively smaller security incident that affected the institution’s student records system. Those familiar with the breach said that digital attackers managed to access the records and ID documents of a small number of students. In response, they began reaching out to students to advise them of what to do.

Lancaster University clarified that its response to this phishing attack is still ongoing. As quoted in its web statement:

We acted as soon as we became aware that Lancaster was the source of the breach on Friday and established an incident team to handle the situation. It was immediately (Read more...)