Lancaster University has started withdrawing non-business-critical access to a breached student database – more than a week after the apparent hack took place.

Following the breach, which affected somewhere between 12,000 and 20,000 people, the northwest England uni has begun pulling staff access to its LUSI (Lancaster University Student Information) records system, which was developed in-house and first went live around five years ago.

In an email sent yesterday and seen by The Register, Heather Knight, director of students, education and academic services, wrote to staff saying: "In response to the recent cyber incident, we are taking steps to enhance the security of all University systems. We are therefore in the process of limiting users' access to data and functionality in LUSI."

Lancaster Uni data breach hits at least 12,500 wannabe students READ MORE

LUSI is the student and applicant records database that was targeted. A 25-year-old man from Bradford was arrested last week on suspicion of Computer Misuse Act crimes and released on police bail.

"In the first instance," continued Knight's email, "we are removing all users' access to LUSI online, except for those staff as identified as needing access for critical business reasons."

Around a thousand accounts had access to LUSI, a number which sources tell us has been slashed to around 100.

The university website explains that LUSI services include the Course Approvals and Information Tool (CAIT), which is the key system from which at least 12,500 applicants' personal data were siphoned just under a fortnight ago.

External web access to the LUSI portal appeared to have been disabled when The Register clicked to access it from the above linked webpage. On the weekend immediately following the hack, which is said to have taken place before Friday 19 July, sources told us the staff VPN was also shut down.

A university helpdesk page explaining LUSI states: "LUSI is developed and managed by CIS Academic and the Student Registry in Lancaster and holds data on every student that has ever studied at Lancaster University."

While this seems alarming on the face of it, a reasonable explanation would be that the university needs to keep a record of who it issued degrees to and when. In its initial statements about the breach, Lancaster said that only applicant data for the academic years 2019 and 2020 was stolen, along with some current students' data.

In a statement, Lancaster told The Register: "As soon as the university became aware of the breach it took steps, on a risk-based approach, to secure all university systems."

Despite the arrest of an apparent suspect, it seems strange for the university to take more than a week to revoke unnecessary access to what appears to be the hacked system.

Duncan Brown, chief EMEA security strategist at infosec biz Forcepoint, told The Register: "Phishing, no matter how sophisticated it is, comes down to people being tricked. If you're not able to understand the normal interactions of people and data, then when a breach occurs with its corresponding anomalous behaviour, it's very hard to spot and react to it.

"All companies must do better in quickly identifying issues and putting together a plan to address them. Faster incident response and breach handling is a necessity to appease regulatory bodies and maintain competitive advantage, regardless of your industry sector."

Brown added: "I think 10 days to react isn't unreasonable, as they don't want to suspend accounts unnecessarily. But prevention is always going to be preferred to cure." ®