Security breach at Lancaster University

Student Information at Risk

It became apparent that, between Friday 19^th July and Saturday 20^th July 2019, there was a data security breach within Lancaster University’s systems. This included “malicious third parties” obtaining personal information, such as a small number of students’ identification documents, such as driving licenses and birth certificates. However, they have “no evidence” that documents were downloaded.

Students who were directly and seriously affected were contacted on Sunday 21st July, to be made aware that their information and student record data had been breached. With details on what to do next, how this happened and sincere apologies from the University.

One student affected, Erin Wilson gave a comment for SCAN, stating that “it’s quite distressing because my information is out there, but it’s also quite a weird occurrence”. Erin acknowledged and commented that this incident has only affected a small number of students, but also told us that “although the situation is being managed however the University sees fit, it’s still worrying”.

The University sent a student wide email out, announcing that this breach has occurred, and that student information has been obtained. They state that they are “aware of two data breaches” one of which affects current students. It appears that both current and prospective students have been affected by this data breach.

The two breaches include current student identification data and 2019 and 2020 undergraduate applicant data.

The University Press Office has given a comment to the SCAN team, stating that “Undergraduate student applicant data records for 2019 and 2020 entry have been accessed. This includes information such as their name, address, telephone number, and email address. We are aware that fraudulent invoices are being sent to some undergraduate applicants. We have alerted applicants to be aware of any suspicious approaches.” 

Further to this, they have stated “We acted as soon as we became aware that Lancaster was the source of the breach on Friday and established an incident team to handle the situation. It was immediately reported to the Information Commissioner’s Office. Since Friday we have focused on safeguarding our IT systems and identifying and advising students and applicants who have been affected. This work of our incident team is ongoing as is the investigation by law enforcement agencies.”

The University has asked SCAN to make readers aware that they should contact the University on admissions-advice@lancaster.ac.uk or 01524 510044 should they need advice, have any queries, or feel that they may have been affected by this attack.

What happened?

The University holds all student information on the University’s student records system, which includes “scanned copies” of identification documents. They became aware on the 20^th July that this system had been accessed by a third party, who does not have authority to see or utilise these documents, along with applicant data. It appears that emails have been sent out to affected students by a third party.

Despite the University meeting all guidelines and following legal requirements, the “sophisticated nature” of the attackers meant that they were able to gain access to the University’s systems.

What is the University doing?

Lancaster University have said that they “have always taken data security responsibilities very seriously” and that they can never be risk-free of a malicious attack, just as all organisations are.

As soon as the University became aware of the breach, they put a team of investigators and are currently liaising with law enforcement agencies to investigate the data breach. How exactly the data became accessible is still being investigated. The University is now taking steps to “further enhance security”.

This is an ongoing story.

Update

On Monday 22nd July a 25-year old man, from Bradford, was arrested on suspicion of committing Computer Misuse Act and fraudulent offences. However, he has since been released under investigation while enquiries continue.