Updated Cops have cuffed a 25-year-old man from Bradford on suspicion of committing Computer Misuse Act crimes after Lancaster University suffered a data breach affecting more than 12,000 students and applicants.

In a statement the National Crime Agency said: "Officers from the NCA's National Cyber Crime Unit arrested the man on Monday (22 July) and he has since been released under investigation while enquiries are ongoing."

As we reported yesterday, Lancaster University admitted that a phishing attack had resulted in person or persons unknown accessing the personal data of people applying for undergraduate degree courses starting this year and in 2020.

Reg's sources: Students paid fraudulent invoices

Names, addresses, email addresses and phone numbers were among the categories of data visible to the hackers. Fraudulent invoices were sent to some, the university admitted. With overseas applicants (of which Lancaster had 575 last year from non-EU countries and 375 from other EU countries) paying fees measured in the tens of thousands of pounds per year, the potential for high returns is great.

Our sources added that around half a dozen students had paid these fraudulent invoices. The highest undergraduate fees for overseas (non-EU) students is Lancaster's Bachelor of Medicine, Bachelor of Surgery (MBChB) course at £31,540.

Sources with knowledge of the situation told The Register that the breach could potentially have affected 20,000 people all told. El Reg's own estimate of UK applicants affected by the breach stands at 12,500 people based on public UCAS data, as we set out yesterday.

We are further informed that the attackers' route in was through the compromise of a staff account with administrator credentials, handing the attackers a golden ticket with which to rampage through the university's systems.

Lancaster University declined to comment.

Back in April JISC, the artists formerly known as the UK academic Joint Information Systems Committee, warned that they had a 100 per cent success rate when researchers phished universities as part of a red-teaming exercise. Evidently someone wasn't listening. ®

Update

Lancaster University later got into touch to deny that the breach was caused by the compromise of an account with admin credentials.