student - data stolenA malicious phishing attack has resulted in Lancaster University students and applicants having data stolen, with the data then being used to send fake invoices to applicants.

The data stolen included sensitive information such as names, phone numbers, email addresses, and ID documents. The breach apparently occurred as a result of the university’s systems being compromised.

In the BBC’s analysis, it was stated that:

Lawyer Helen Davenport, who advises clients on cyber security, said it was “essential” sectors such as higher education took cyber-security risks “seriously” and put training and software in place to “proactively shield against future attacks”.


She said “all eyes” would now be on how the attack had impacted students’ data and how the university intended “to guard against something likely to be attempted again”.


Failure to do so “could affect the attractiveness of the university to future candidates”, she added.

The full article from the BBC can be read here:

It’s important to note that although this breach is potentially very damaging for the students affected, Lancaster University has responded swiftly and efficiently. Since becoming aware of the breach on Friday, the university has taken steps to notify both the Information Commissioner’s Office (ICO) and the National Crime Agency NCA.

It is also moving to protect its data subjects, securing its systems and contacting those affected with advice.

Having good procedures in place in case of a data breach will always be regarded favourably by the ICO. It will be a long time before we discover what penalty Lancaster University faces, but by taking the actions it has, it has likely reduced any fines.

If you’re uncertain about the correct procedures to follow in case of a data breach, we can help here at Activa Consulting. Click here to get in touch with us about our wide range of consultancy offers, including self-management software and interim Data Protection Officer services.