Ethical hackers working for Jisc, the agency providing internet services to the UK's universities and research centres accessed personal data, finance systems and research networks.
University research projects get knocked over all the time with more than 1,000 cyber-attacks last year.
Penetration testing was carried out on more than 50 universities in the UK, with some being attacked multiple times.
Jisc (formerly the Joint Information Systems Committee) and the Higher Education Policy Institute (Hepi), showed a 100 percent success rate in getting through the cyber-defences.
Within two hours, and in some cases one hour, they were able to reach student and staff personal information, override financial systems and access research databases.
The most effective approach was "spear phishing".
John Chapman, head of Jisc's security operations centre, warned of the risk of a "disastrous data breach or network outage… we are not confident that all UK universities are equipped with adequate cyber-security knowledge, skills and investment" Cyber-attacks are becoming more sophisticated and prevalent and universities can't afford to stand still in the face of this constantly evolving threat".
The National Cyber Security Centre (NCSC), part of the GCHQ intelligence service, said most attacks on UK universities were related to phishing and attempts to gain entry for ransomware and malware.
But overseas states targeted universities to steal intellectual property and "gain a technological advantage".
And last year "criminal actors based in Iran" had been blamed for some of the cyber-attacks against UK universities. We would have thought that any actors would have been too busy learning their lines and trying to get auditions to worry about hacking UK databases.