Lancaster University (legally the University of Lancaster) is a collegiate public research university in Lancaster, Lancashire, England. The university was established by Royal Charter in 1964.
In 2018 it was awarded University of the Year by The Times and Sunday Times Good University Guide, and achieved its highest ever national ranking of 6th place within the guide's national table. The annual income of the institution for 2016-17 was £267.0 million of which £37.7 million was from research grants and contracts, with an expenditure of £268.7 million.
Lancaster University - which offers a GCHQ-accredited degree in security - has been struck by a "sophisticated and malicious phishing attack" that resulted in the data breach.
Here are the top 7 facts about the Lancaster University data breach (July 2019).
Fact 1: Around 20,000 student applicant data records for 2019 and 2020 entry have been accessed by the cyber attacker. This includes information such as their name, address, telephone number, and email address.
Fact 2: University data breach affects more than 12,500 students and applicants.
Fact 3: Fraudulent and bogus invoices via email are being sent to some undergraduate applicants. Around half a dozen students had paid these fraudulent invoices. The highest undergraduate fee for overseas (non-EU) students is Lancaster's Bachelor of Medicine, Bachelor of Surgery (MBChB) course at £31,540.
Fact 4: A second breach had also occurred on University’s student records system and at the present time a very small number of students who have had their record and ID documents accessed.
Fact 5: The cyber attackers' route in was through the compromise of a staff account with administrator credentials, handing the attackers a golden ticket with which to rampage through the university's systems.
Fact 6: University had reported the data breach to Information Commissioner Office to comply with the UK Data Protection Act and EU GDPR.
Fact 7: National Crime Agency (NCA) who are currently investigating the breach confirmed the University’s systems were compromised. On 22th July 2019 NCA had arrested a 25 year old boy from Bradford boy on suspicion of committing Computer Misuse Act and fraud offences. The boy has been released under the investigation while enquiries are going on.
Lessons & Recommendations:
It is clearly evident that University didn’t have adequate technical and organizational measures to safeguard student personal data. Based on the above facts, it is also clear that University has weak safeguards to stop any phishing email campaigns. Privileged access to Student record systems was poorly managed and staff admin credentials were compromised to launch sophisticated phishing emails. Phishing emails contained bogus invoices to undergraduate students to make payments towards their course and programs.
Our recommendation to the University management and IT team will be to conduct a thorough security audit on the student systems to review and lock down privileged access. Privilege access should be tightly controlled, regularly reviewed and granted on a need to know basis. University should review and invest in effective email security safeguards to stop and prevent any sophisticated phishing campaigns. University should review their information security and privacy program, raise more security and privacy awareness to staff and students to quickly identify and report on data breaches.