Students’ personal data has been stolen in a “sophisticated and malicious” phishing attack at Lancaster University.
Officials said the information had been used to send bogus invoices to applicants.
“A very small number” of student records, phone numbers and ID documents were also accessed, it said.
The National Crime Agency (NCA) said the university had suffered a “compromise of its systems”.
In a statement, the university said it became aware of a breach on Friday and has been working to secure its systems.
It said the data included names, addresses, phone numbers and emails, linked to students who had applied to join the university in 2019 and 2020.
“We are aware that fraudulent invoices are being sent to some undergraduate applicants,” it said.
“At the present time, we know of a very small number of students who have had their record and ID documents accessed.”
It said the affected students would be contacted with advice.
Phishing involves attempts to trick web users into handing over sensitive information.
An NCA spokesman said: “A criminal investigation led by the NCA’s National Cyber Crime Unit is now under way, and it would not be appropriate to comment further at this stage.”
A spokesman for the Information Commissioner’s Office said it had received a report from the university and would assess the information provided.