Lancaster University Phishing Attack

Lancaster University has revealed it has been subjected to a ‘sophisticated’ phishing attack resulting in attackers gaining access to student and applicant data including names, addresses, email addresses and more.  

Experts Comments: 

Tim Galligan, GM of EMEA at SailPoint:   

“The phishing attack on Lancaster University goes to show that nothing and no-one is completely safe from hackers. Phishing attacks have become increasingly sophisticated in the past few years, helping criminals to impersonate legitimate organisations with eerie accuracy and believable details. As a result, no organisation should be asking if they will be breached, but more likely, when.    

“The premise of phishing depends on accessing the right data to build a believable trap that human users can fall into – therefore, it is more important than ever to ensure that the organisations we trust with that information are taking appropriate measures to protect it. People are the most vulnerable attack vector, which is why phishing attacks have remained so popular and have become even more sophisticated as everyone now relies on digital platforms for communication. IT teams can do a lot to prevent phishing attacks from reaching our inboxes – but everyone must think security first when providing our personal information.   

“It remains to be seen just how many students were impacted by this breach, however this event should remind us all that our personal information is our most valuable asset and we should secure and guard it carefully.”  

Ronan David, VP at EfficientIP:

“Phishing attacks are one of the most popular DNS attacks. They often result in data theft, revealing sensitive information and paralyzing systems. Our 2019 Global DNS Threat Report reveals over half (55%) of higher education organisations have been vulnerable to phishing attacks.”


Felix Rosbach, Product Manager at comforte AG:   

“As a private individual, sometimes there’s no way to be sure that the services we use are protected by an adequate amount of security. Even if you don’t enter payment details, your ID, name, and address can be used to start fraudulent activities.   

Therefore organizations have to disclose a breach and inform users as soon as possible to preserve trust. A fast response is only possible when already having a sophisticated incident response strategy in place.   

While the chances of being breached are higher than ever before, there is not much you can do about it. With an ever-growing attack surface, building just another wall around your network is not the best way forward. Especially when it comes to phishing attacks. In the end, the most important thing to do is to protect your customers’ data. With modern solutions such as FPE or tokenization, you can render PII (including names, addresses, and IDs) useless to hackers.”   

Tim Erlin, VP, Product Management and Strategy at Tripwire:   

Employee education is the first line of defense against phishing, but even trained security professionals can be fooled by a well-crafted attack. Organizations should put in place technical controls to prevent and detect successful attacks as well. It’s not enough to simply tell people not to click on dangerous links.