Home / News & Resources / News & Updates / Lancaster University data breach. What do we know?

Lancaster University data breach. What do we know?

  • Posted on

Lancaster University has become the latest organisation to suffer at the hands of cybercriminals after a "sophisticated and malicious phishing attack". The university, which offers a GCHQ-accredited degree in security, is now withdrawing non-business-critical access to a breached student database. However, questions must be asked over why this is only happening now - more than a week after the Lancaster University data hack took place.

What happened in the Lancaster University data breach?

The Lancaster University data breach has affected between 12,000 and 20,000 people. This includes undergraduate applicants for 2019 and 2010, as well as some current students. The personal information accessed includes names, addresses, phone numbers and email addresses. Worryingly, the university has also admitted that fraudulent invoices "had been sent to some undergraduate applicants".

Find out more about phishing scams. And what you can do if you have received a fake invoice claiming to be from Lancaster University.

The student and applicant records database hit by the data breach (LUSI) was developed in-house. It has been operational for about five years.

A spokesperson for the university said: "In response to the recent cyber incident, we are taking steps to enhance the security of all University systems. We are therefore in the process of limiting users' access to data and functionality in LUSI."

Have you been affected by the Lancaster University data breach?

In a prepared statement, the university said:

"Lancaster University has been subject to a sophisticated and malicious cyber-attack which has resulted in breaches of student and applicant data. The matter has been reported to law enforcement agencies and we are now working closely with them.

We are aware of two breaches of data:

  1. Undergraduate student applicant data records for 2019 and 2020 entry have been accessed. This includes information such as their name, address, telephone number, and email address. We are aware that fraudulent invoices are being sent to some undergraduate applicants.We have alerted applicants to be aware of any suspicious approaches.
  2. A breach has also occurred of our student records system and at the present time we know of a very small number of students who have had their record and ID documents accessed. We are contacting those students to advise them what to do.

We acted as soon as we became aware that Lancaster was the source of the breach on Friday and established an incident team to handle the situation. It was immediately reported to the Information Commissioner's Office. Since Friday we have focused on safeguarding our IT systems and identifying and advising students and applicants who have been affected. This work of our incident team is ongoing as is the investigation by law enforcement agencies.

We are advising applicants, students and staffto contact us if they receive any suspicious communications via email:admissions-advice@lancaster.ac.ukor phone: 01524 510044.

Because this is a live investigation we will not be making any further comment at this stage."

Has Lancaster University made a bad situation worse?

A suspect has been arrested following the data hack. However, this does not justify the university not taking measures to revoke access to the compromised system before now.

Cybercrime attacks have become increasingly difficult to avoid. But, all too often, they are only successful because an organisation has not put the necessary prevention methods in place to keep data safe. To make matters worse, many are falling short of what we would expect when a failure in data privacy occurs.

At Hayes Connor Solicitors, our experience shows that the quicker such incidents are responded to and security tightened following a cyberattack, the better. Leaving compromised systems exposed is just asking for trouble. Faster incident response and breach handling must become a priority if organisations are serious about their data protection responsibilities.

How can Hayes Connor Solicitors help?

If you have been a victim of the Lancaster University data breach, we can help you to claim compensation for any financial losses or distress. Claiming compensation isn't just in your best interests. The only way these organisations will be persuaded to take their responsibilities seriously and make the necessary improvements is by hurting their bottom line.

Our professional, friendly team will be pleased to answer any questions you might have about claiming. We will also go through your options and let you know about our NO WIN, NO FEE agreements.

We understand that making a compensation claim can be stressful; especially where you have already been the victim of a crime. That's why we make sure you always know what's happening and remove the jargon from the process.

Our process is fully compliant with data protection requirements. And we never put your details at risk.