Students’ personal data has been stolen in a “sophisticated and malicious” phishing attack at Lancaster University.
Officials said the information had been used to send bogus invoices to applicants.
“A very small number” of student records, phone numbers and ID documents were also accessed, it said.
The breach has been reported to police and the Information Commissioner’s Office (ICO).
In a statement, the university said it became aware of a breach on Friday and has been working to secure its systems.
It said the data included names, addresses, phone numbers and emails, linked to students who had applied to join the university in 2019 and 2020.
“We are aware that fraudulent invoices are being sent to some undergraduate applicants,” it said.
“At the present time, we know of a very small number of students who have had their record and ID documents accessed.”
It said the affected students would be contacted with advice.
Phishing involves attempts to trick web users into handing over sensitive information.
A spokesman for the ICO said it had received a report from the university and would assess the information provided.