Student and applicant data have been breached in a “sophisticated and malicious” phishing attack on Lancaster University.
Undergraduate student applicant data records for 2019 and 2020 entry have been accessed, the university said.
These records include applicants’ names, addresses, telephone numbers and email addresses.
Lancaster said that it is “aware that fraudulent invoices” are being sent to some undergraduate applicants and the university has alerted applicants to be on the alert for any suspicious approaches.
There has also been a breach of the university’s student records system, and the university so far knows of a “very small number of students” who have had their record and ID documents accessed.
Lancaster is contacting the students involved to advise them what to do.
“We acted as soon as we became aware that Lancaster was the source of the breach on Friday and established an incident team to handle the situation,” said a university spokesman.
Since then, the university has “focused on safeguarding our IT systems and identifying and advising students and applicants who have been affected”, he added.
The attack has been reported to the Information Commissioner’s Office.
On 24 July, the National Crime Agency said that a 25-year-old man from Bradford had been arrested on suspicion of committing Computer Misuse Act and fraud offences, following the cyber incident affecting Lancaster.
Officers from the NCA’s National Cyber Crime Unit arrested the man and he has since been released under investigation while enquiries are ongoing.