The personal data of students and applicants has been stolen in a "sophisticated and malicious" phishing attack at Lancaster University.
Officials said the information had been used to send bogus invoices to undergraduate applicants.
"A very small number" of student records, phone numbers and ID documents were also accessed, it said.
The National Crime Agency (NCA) said the university had suffered a "compromise of its systems".
In a statement, the university said it became aware of a breach on Friday and has been working to secure its systems.
It said the data included names, addresses, phone numbers and emails, linked to students who had applied to join the university in 2019 and 2020.
"We are aware that fraudulent invoices are being sent to some undergraduate applicants," it said.
"At the present time, we know of a very small number of students who have had their record and ID documents accessed."
It said the affected students would be contacted with advice.
Phishing involves attempts to trick web users into handing over sensitive information.
An NCA spokesman said: "A criminal investigation led by the NCA's National Cyber Crime Unit is now under way, and it would not be appropriate to comment further at this stage."
A spokesman for the Information Commissioner's Office said it had received a report from the university and would assess the information provided.
Lawyer Helen Davenport, who advises clients on cyber security, said it was "essential" sectors such as higher education took cyber-security risks "seriously" and put training and software in place to "proactively shield against future attacks".
She said "all eyes" would now be on how the attack had impacted students' data and how the university intended "to guard against something likely to be attempted again".
Failure to do so "could affect the attractiveness of the university to future candidates", she added.
You may also be interested in:
Have you been affected? Contact us at: firstname.lastname@example.org