A test of UK university defences against cyber-attacks found that in every case hackers were able to obtain “high-value” data within two hours.
The tests were carried out by “ethical hackers” working for Jisc, the agency providing internet services to the UK’s universities and research centres.
They were able to access personal data, finance systems and research networks.
University research projects have been major hacking targets, with more than 1,000 cyber-attacks last year.
The simulated attacks, so-called “penetration testing”, were carried out on more than 50 universities in the UK, with some being attacked multiple times.
A report into their effectiveness, published by Jisc (formerly the Joint Information Systems Committee) and the Higher Education Policy Institute (Hepi), showed a 100% success rate in getting through the cyber-defences.
Within two hours, and in some cases one hour, they were able to reach student and staff personal information, override financial systems and access research databases.
The tests were carried out by Jisc’s in-house team of ethical hackers, with one of the most effective approaches being so-called “spear phishing”.
This is where an email might appear to be from someone you know or a trusted source but is really a way of concealing an attack, such as downloading “malware”.
John Chapman, head of Jisc’s security operations centre, warned of the risk of a “disastrous data breach or network outage”.
And he said, on the basis of the test results, “we are not confident that all UK universities are equipped with adequate cyber-security knowledge, skills and investment”.
“Cyber-attacks are becoming more sophisticated and prevalent and universities can’t afford to stand still in the face of this constantly evolving threat,” said Mr Chapman.
Universities and research centres have faced repeated attacks from hackers, with more than 200 institutions reporting more than 1,000 attempts last year to steal data or disrupt services.
“Universities hold masses of data on sensitive research,” said Nick Hillman, director of Hepi.
A “few unscrupulous foreign governments are keen to access” this research, which was vital to “future UK economic growth”, he said.
Universities also held a great deal of personal information about their students, Mr Hillman added, and regulators might need to set minimum requirements for cyber-security.
University of Greenwich vice-chancellor David Maguire, who chairs the Jisc, said universities “accrue huge amount of data” and this “places a burden of responsibility on institutions, which must ensure the safety of online systems”.
The National Cyber Security Centre (NCSC), part of the GCHQ intelligence service, said most attacks on UK universities were related to phishing and attempts to gain entry for ransomware and malware.
But overseas states also targeted universities to steal intellectual property and “gain technological advantage”.
And last year “criminal actors based in Iran” had been blamed for some of the cyber-attacks against UK universities.
“NCSC experts work closely with the academic sector to improve their security practices and help protect education establishments from cyber-threats,” said a spokeswoman for cyber-defence agency.
A Universities UK spokeswoman said university leaders were working with the NCSC to “help improve and strengthen security practices to better protect the sector from cyber threats”.
“Data security is an absolute priority,” she added.