- Was any personal data relating to me accessed or disclosed?
- Why might I have received the phishing email in my personal email account?
- Was any financial or fee-related information accessed from University systems?
- Has this incident been reported to the Information Commissioner’s Office (ICO)?
- What should I do if I am concerned?
- How can I stay safe from phishing emails?
Was any personal data relating to me accessed or disclosed ?
Based on information currently available, the phishing emails were only sent to University email addresses. This means the only information that could have been exposed at a system level is your name, University email address, and University username. There is no evidence that any other personal data stored in University systems was accessed or compromised.
If you did not click on any links or respond providing enter any further details, your data will remain safe.
Some people did voluntarily share personal details or make payments after responding to the phishing emails. Any information given this way was provided directly by individuals from their own personal email accounts, not taken from University systems.
Why might I have received the phishing email in my personal email account?
Student emails are automatically forwarded from University email accounts to your personal email address to help ensure important communications are seen.
As a result, you may have received the phishing email in both your University inbox and your personal email account. Once an email is delivered to a personal email account, activity within that account is outside the University’s technical control.
The University has removed malicious emails from all University email systems under its control.
Was any financial or fee-related information accessed from University systems?
No. There is no evidence that any financial or account-related information held within University systems was accessed as part of this incident.
Any payment details involved have been shared voluntarily by individuals responding to phishing emails.
Has this incident been reported to the Information Commissioner’s Office (ICO)?
Yes the incident has been reported to the Information Commissioners Office (ICO). The University has assessed the incident in line with its UK GDPR obligations and has taken appropriate steps to engage with the relevant external authorities including the ICO.
What should I do if I am concerned?
If you believe you may have interacted with a phishing email or shared any information, please contact the IT Helpdesk immediately via our 24/7 phone line: +44 (0)1707 284678, or ext. 4678 or email at helpdesk@herts.ac.uk letting them know how you responded, what information has been shared and to whom.
How can I stay safe from phishing emails?
Phishing emails are designed to create urgency and pressure you into acting quickly. To help protect yourself:
- Take your time before responding to unexpected requests or offers. Often these scams create false urgency to provoke panic, for example using language such as ‘missed deadline’, ‘outstanding payment due’.
- Never share personal or financial information unless you are certain the source is genuine.
- Never share your password or approve a multi-factor authentication (MFA) request you were not expecting
- Avoid clicking links or opening attachments in suspicious emails
- Check the sender carefully if something doesn’t feel right
- Report any suspicious messages immediately to IT Helpdesk
- You can update your personal email address for your student record. See Manage your emails to/from the University.
If you think you may have clicked a link or shared information, contact the IT Helpdesk immediately at helpdesk@herts.ac.uk. Acting quickly can help reduce risk.
For more information on staying safe online see our staying safe online checklist.