[BreachExchange] Man arrested over Lancaster University cyber attack

Destry Winant destry at riskbasedsecurity.com
Thu Jul 25 10:03:53 EDT 2019 

https://news.sky.com/story/man-arrested-over-lancaster-university-cyber-attack-11769576

A man has been arrested on suspicion of computer crimes and fraud
offences by police investigating the theft of student data from
Lancaster University.

The 25-year-old, who has not been named, has been released under
investigation while the National Crime Agency continues to work with
the university to find out what happened.

The arrest took place on Monday, according to the NCA's cyber crime unit.

According to Lancaster University a hacker or hackers accessed the
records for undergraduate student applications to enter the university
in 2019 and 2020.

The information is considered highly sensitive and includes names,
addresses, telephone numbers and email addresses.

"We are aware that fraudulent invoices are being sent to some
undergraduate applicants. We have alerted applicants to be aware of
any suspicious approaches," the university said.

Another breach was also identified affecting the university's student
records system.

"At the present time we know of a very small number of students who
have had their record and ID documents accessed. We are contacting
those students to advise them what to do," the university said.

"We acted as soon as we became aware that Lancaster was the source of
the breach on Friday and established an incident team to handle the
situation.

"It was immediately reported to the Information Commissioner's Office."

There is a legal requirement for businesses which lose people's data
to inform the ICO within 72 hours or face substantial fines.

Organisations are also required to hold on to this data securely and
if it is not found to be secure then they could similarly face a large
fine.

In 2016 telecommunications company TalkTalk was given a record
£400,000 fine by the ICO for failing to properly secure its customers'
data.

At the time, the ICO stated TalkTalk could have prevented the data
breach the previous October if the firm had taken basic steps to
protect customers' information.

Lancaster University added: "Since Friday we have focused on
safeguarding our IT systems and identifying and advising students and
applicants who have been affected.

"This work of our incident team is ongoing as is the investigation by
law enforcement agencies."

More information about the BreachExchange mailing list