Lancaster University has admitted that its systems were subjected to two data breaches in the last few days. They are blaming the breaches on a sophisticated and malicious phishing attack. The university has a major cyber security research department and is one of just a few UK universities offering an MSc in Cyber Security. As such, the breach is more than embarrassing. Its expertise will form part of the ICO investigation and decisions on fines.
Lancaster University stated in its press release: “We acted as soon as we became aware that Lancaster was the source of the breach on Friday and established an incident team to handle the situation. It was immediately reported to the Information Commissioner’s Office. Since Friday we have focused on safeguarding our IT systems and identifying and advising students and applicants who have been affected. This work of our incident team is ongoing as is the investigation by law enforcement agencies.”
What do we know?
At the moment, not much more than the press release. Enterprise Times has emailed the university asking for more details. However, the university says that this is a live investigation and won’t be commenting further at the moment.
In terms of the two data breaches, the university has said:
- Undergraduate student applicant data records for 2019 and 2020 entry have been accessed. This includes information such as their name, address, telephone number, and email address. We are aware that fraudulent invoices are being sent to some undergraduate applicants. We have alerted applicants to be aware of any suspicious approaches.
- A breach has also occurred of our student records system and at the present time we know of a very small number of students who have had their record and ID documents accessed. We are contacting those students to advise them what to do.
At this time of year, many students are trying to make sure that they get their preferred place at a university. It is not clear whether the data applies to only students who have applied and been accepted at Lancaster University or to all applicants.
If the latter then there are some serious concerns here in addition to the fraudulent invoices. Students may believe that the invoice means they have a place and lose money by paying it. For some, it could mean they turn down offers elsewhere. If that happens and a student loses a place on a course, the question is what will Lancaster University do?
UK universities easy pickings
Last year there was over 1,000 attacks against research projects run by UK universities. The data and research that they hold is highly valued around the world. Cyber criminals can sell the data on to companies who are then able to bring products to market based on that research.
It is not just research projects that are the target. Staff and student records are also of interest to cyber crime groups. They offer up information that allows targeted attacks on current and former students. For universities like Lancaster who are centres of excellence for computing and cyber security, such breaches are a major problem for them. It calls into question their ability to protect data and threatens research programmes.
Earlier this year two reports were damning of UK universities. The first came from JISC (Joint Information Security Committee). It hired ethical hackers to see how secure data was at UK universities. The results were damning. It took just two hours to gain access to highly sensitive data at a number of universities.
The second report came from VMware and EMC. Titled University Challenge: Protecting Research in Higher Education (registration required), it highlights just how difficult universities find it to protect data.
Enterprise Times: What does this mean
Another hack at a UK university is unlikely to get much attention from the general public. However, there is a much more serious side to this issue. The UK makes significant money from the research carried out in its universities. It allows the UK to punch above its weight in the scientific and business community. The UK is one of the top locations for AI, machine learning, cyber security, medicine and drug research to name just a few areas.
Many companies that commission research are doing so a long way ahead of products being created. It can take up to five years and cost tens of millions of pounds to run through research programmes. If a cyber criminal can gain access to that data and sell it to a competitor, it is not just the research that is lost. It can be jobs, patents, future revenue and, for the research team, a loss of credibility and trust.
At the moment, Lancaster University believes that it has found and stopped this attack. The question is whether any of the data will be used in future attacks. Having the details of students allows cyber criminals to craft spear phishing attacks in the future. They will also be able to track those working in certain areas over time. It means that they can pick their time to steal user credentials to gain access to sensitive data.
For now we have to wait for Lancaster University to provide more details on how the attack occurred and the full list of what was taken.