After a phishing attack embezzled Personally Identifiable Information (PII) from thousands of current and prospective students at Lancaster University, the BBC referred to the attack as “sophisticated and malicious”.
The data stolen included names, home addresses, email addresses, and phone numbers. Some students even reported having received fake invoices. Receiving malicious communications from trusted educational institutions can cause otherwise vigilant people to fall prey to costly scams.
The incident shows the importance of cybersecurity at educational institutions as they typically have access to endless archives of sensitive information from students and alumni. Reports stated that the attackers gained access to the system through a staff account, forging administrative credentials. This gave the attackers nearly full access to the school systems, and all of the information they sought to steal.
University officials stated that the number of students affected is small, and they have done all in their power to not only mitigate the vulnerability but to also reach out to those affected with advice on how to protect themselves.
Furthermore, according to a report from The Register, at least 12,500 potential students also had their information stolen. The university admitted that applicant information from 2019 and 2020 has been similarly compromised.
A suspect was arrested in the investigation, a 25-year old man accused of violating the Computer Misuse Act. In a statement the National Crime Agency said: “Officers from the NCA’s National Cyber Crime Unit arrested the man and he has since been released under investigation while enquiries are ongoing.”
Phishing scams are a prominent issue and are expected to get worse as the tools used become more sophisticated. Stay alert and stay safe.