Phishing attack highlights cyber security need at universities

Less than two months after a report revealed that universities are continually under cyber attack, Lancaster University has reported a phishing attack to the National Crime Agency (NCA) and the Information Commissioner’s Office (ICO).  

According to the report sponsored by VMware and Dell EMC, cyber attacks on UK universities presents an increasing risk to national security, with 93% of university research commissioned by government and almost a third of that relating to national security.

Lancaster University said it acted as soon as it became aware of breaches of student and applicant data on 19 July 2019 by setting up an incident response team and reporting the matter to the ICO.

Since discovering the breaches, the university said it had focused on safeguarding its IT systems and identifying and advising students and applicants who have been affected.

“This work of our incident team is ongoing, as is the investigation by law enforcement agencies,” the university said in a statement.

The breaches affect two sets of data. First, undergraduate student applicant data records for 2019 and 2020, including names, addresses, telephone numbers and email addresses.

“We are aware that fraudulent invoices are being sent to some undergraduate applicants. We have alerted applicants to be aware of any suspicious approaches,” the university said.

Second, the university said a breach was also detected in the student records system, affecting “a very small number of students” who have had their record and identity documents accessed. “We are contacting those students to advise them what to do,” the university said.

Applicants, students and staff are advised to contact the university if they receive any suspicious communications, the statement said, adding that the university will not make any further comment while the investigation is still underway.

Tim Sadler, CEO at cyber security firm Tessian, said universities are increasingly becoming prime targets for cyber attackers.

“In its recent report, the National Cyber Security Centre (NCSC) revealed that university-related phishing scams have significantly increased over the past year, while its list of top 10 phishing takedowns in 2018 included three universities and the Student Loans Company,” he said.

“With student data and records at risk, universities need to consider how best to protect their people from falling prey to these attacks as they become more frequent.”

Mick Bradley, vice-president for Europe at data protection firm Arcserve, said the phishing attack and data breaches at Lancaster University are another example of the increasing challenge that universities are facing.

“As cyber criminals continue to prey on educational establishments, the security of student, teacher and staff personal data is at risk,” he said.

Universities not only need to educate students and staff on how to avoid falling into phishing traps, Bradley believes it is also vital that there is an infrastructure in place to be able to maintain continuity of operations and provide effective data protection.

As attackers continue to raise the bar, Andrew Bushby, UK director at Fidelis Cybersecurity, said educational institutions need to ensure they have the tools they need to understand the full extent of a security event.

“Instead of relying on just a spam filter, or even mail administrators to help find the phishing emails, detection systems using rich metadata need to be efficiently leveraged. With metadata, organisations can easily scope the event and gain the context necessary to act on phishing scams,” he said.

Felix Rosbach, product manager at data protection firm Comforte, said that with an ever-growing attack surface, building just another wall around the network is not the best way forward.

“Especially when it comes to phishing attacks. The most important thing to do is to protect your customers’ data. With modern solutions such as tokenisation, you can render personal information useless to hackers.”

Helen Davenport, partner at law firm Gowling WLG, said that despite the business sector arguably being more sophisticated when it comes to taking more preventative measures around cyber security, it is essential that other sectors, such as higher education, take the risk seriously and put the training processes and software capabilities in place to proactively shield against future attacks  

“All eyes will now be on university officials, in terms of assessing if the original attack has affected the data of additional students and, vitally, how they intend to guard against something that is likely to be attempted again. A failure to incorporate prevention where cyber security is concerned may affect the attractiveness of the university to future candidates and its ultimate bottom line,” she said.