Lancaster University Phishing Attack

As reported on July 22, the students of Lancaster University, one of the top universities in the UK, join the long and ever-growing list of victims of a phishing attack.

A sophisticated and malicious attack

On July 19, the university were only under the illusion that their servers had been hacked but later discovered a data breach had occurred and hundreds of students’ data had been accessed by malicious hackers. The exact number of students is still unknown.

What happened?

Whenever a data breach occurs, an investigation about the breach and its origin is conducted urgently. After this research was conducted, it was discovered that fake invoices were sent to undergraduate applicants. That led to the theft of some prospective, and already enrolled, student data such as phone numbers, ID documents, and other students records information.

The hackers were successfully reaching the database of the system which contained the students’ personal information and the application records for 2019 and 2020 were specifically targeted. The total number of enrolled students is circa 13,000 but there is no exact figure yet which can tell that how many students were caught in this cyber-attack.


National Cyber Security Centre


When the attack was discovered and identified on 19 July, an incident team was established to find a solution to the current situation. In addition to this, the incident was reported to agencies such as the UK’s National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO).

In this instance, because of the type of data stolen, reporting to the ICO is a legal obligation under Article 33 of the General Data Protection Legislation (GDPR) which reads:

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons

The GDPR, Article 33.

Information Commissioner's Office

Steps were taken in response to the attacks

Following the attack, the university has implemented new strategies to avoid any such incidents in the future and Lancaster University are said to have made IT security systems stronger. The university has also identified the individuals who have been affected by this attack and the law enforcement authorities have this is hand.

Another useful step taken by the university is a helpline (01524 510044). The individuals who think that they have been affected by the cyber-attack can call this helpline to obtain assistance regarding the issue. There is also an email address ( which students can use as a contact method.


There is a high chance, and is often commonplace now, the cyber-criminals may have asked for a ransom but there is no further information made about the incident, as it’s the protocol to stay quiet during the period of an ongoing investigation. The incident team and the law enforcement agencies together are conducting the research.

Universities are a prime target for both independent and state-owned malicious actors due to the quantity and quality of both academic and personal data held.

Security Awareness Training

This is just one of many incidents that demonstrate how comprehensive phishing and security awareness training is critical to all organisations, regardless of size. Its low price versus the potential gains in security and reduction in risk should make it top of the list for any organisation’s cyber security shopping list.

For further guidance, see our 6 reasons why you need Security Awareness Training for more information. 

Also see this page on how we are helping the education sector get safer by offering 250 free seats.

Recent posts