Lancaster University phishing attack demonstrates vulnerability of higher education sector

A data breach at Lancaster University exposed data including undergraduate applicant information and student records

Personal data of "a very small number" of students at Lancaster University was stolen in a phishing attack, the educational institution announced on 22 July.

"Lancaster University has been subject to a sophisticated and malicious phishing attack which has resulted in breaches of student and applicant data. The matter has been reported to law enforcement agencies and we are now working closely with them," the announcement said.

The university was alerted about the breach on Friday, 19 April. The data accessed includes undergraduate student applicant information for 2019 and 2020 entry such as their name, address, telephone number, and email address. 

"We are aware that fraudulent invoices are being sent to some undergraduate applicants. We have alerted applicants to be aware of any suspicious approaches," the university said. 

"Across our customer base at Darktrace, universities receive the largest number of targeted phishing emails, which trick the recipient into clicking a malicious link or transferring funds," Max Heinemeyer, director of threat hunting at Darktrace, told SC Media UK.

"We are also seeing the early signs of attackers using artificial intelligence to ‘supercharge’ spoof emails – generating emails that are virtually indistinguishable from genuine ones from trusted contacts," he added.

"Affected students should immediately change their passwords and ensure that they have unique passwords for each account they own," Censornet CEO Ed Macnair told SC Media UK.

SC Media UK this month reported an instance of lateral phishing in a higher educational institution, whose email system was infiltrated when the attackers sent one of the student's a phishing email, pretending to come from Microsoft Outlook and alerting them about a fake security incident in their account.

"Educational organisations continue to be targets for cyber-attacks. Unfortunately, the sprawling nature of a college – with all their separate faculties and facilities – and the inevitable movement of data between departments makes IT admin and security difficult to implement and maintain," wrote Kelvin Murray, senior threat researcher at Webroot, in an email to SC Media UK.

"Additionally, universities contain a wealth of valuable intellectual property which can be valuable to hackers, especially those acting on behalf of governments," he added.

Two days before the Lancaster data breach was discovered, the US Department of Education announced the breach of data from 62 colleges using Ellucian Banner System, a software implemented by colleges to design web applications and authenticate users. 

"Whilst this reported attack certainly seems to be a targeted one, it is by no means sophisticated. The techniques used are a ‘tried and tested’ favourite of almost all cyber-criminal (and nation state) groups," wrote Richard Cassidy, senior director of security strategy at Exabeam, in an email to SC Media UK.

"What is interesting here is that if we take a look at those universities targeted by previous campaigns, especially those that were linked to nation state groups in 2018, many of them run GCHQ approved cyber-security BSc/MSc’s," he noted.

Security experts contacted by SC Media UK were unanimous in saying that precaution and awareness are the best defence tactics against phishing.

"To mitigate future attacks, IT teams must properly audit all machines connected to their networks and the data they hold. Security awareness training should be implemented for staff and students from day one, ensuring that they are vigilant in scrutinising the types of emails they receive. This should be underpinned by cyber-security technology such as email filtering, anti-virus protection, and sensible password policies," said Murray.

Education is the key factor in the fight against phishing attacks, said Cassidy. "Users need to be taught how to remain vigilant and to apply the ‘if in doubt, there is no doubt’ rule in reporting suspicious communication – be it via e-mail, social media or other."

"Students need to be suspicious of any email or communication (including text messages, social media posts, ads) with urgent requests for personal financial information," said John Ford, CISO at ConnectWise.

"Phishers typically include upsetting or exciting (but false) statements to get people to hand over their usernames, passwords, credit card numbers, social security numbers, date of birth and other personal information. Phishers have the ability to spoof and/or forge the https:// that you normally see on a secure web server and a legitimate-looking web address, which is why you should always type the web address yourself instead of clicking on displayed links," he added.

Phishing emails often seek to take advantage of a specific situation and the unique stressors affecting people at any given time due to circumstance, observed Carl Wearn, former police officer and e-crime lead at Mimecast.

"During the summer many students are stressed and very busy completing time-sensitive applications to College or University and this renders them particularly vulnerable to phishing in relation to those applications," he said.

Staying vigilant by paying particular attention to the grammar and origins of emails and taking additional steps to verify any communications by telephoning or contacting the institution via a trusted and previously verified contact method to confirm the invoice can prevent most of the phishing incidents, he said.

"Do not use any contact details given within the email as they may also be falsified," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews