The SANS Institute was the victim of a phishing attack that lead to hundreds of emails from an internal account being forwarded to an unknown third party. The emails contained roughly 28,000 records of personally identifiable information. The SANS Institute stated that they are currently investigating the data breach, which was exposed on August 6 after routine email configuration reviews uncovered the suspicious forwarding rule.
According to SANS, the emails forwarded to the unknown third party contained information such as first name, last names, company names, addresses, countries of residence, and work titles. The external address received a total of 513 emails, leading to the 28,000 PII breaches. SANS also discovered that a malicious Office 365 add-on was installed on the victim’s machine as part of the phishing attack. The institute has vowed to take measures to prevent another similar attack.
Read More: SANS Institute Phishing Attack Leads to Theft of 28,000 Records
Comment from OODA CTO Bob Gourley:
SANS is one of the most virtuous organizations in the cybersecurity domain, responsible for high quality training for a large percentage of the cybersecurity world. Leaders of SANS are also leaders in the community, helping all of us better understand the nature of the threat and what to do about it. So what does it mean when they have a breach? It means breaches can and will happen to the best. Organizations should design and operate their enterprise in ways that reduce the risk of breach but should also understand that surprises will happen. Put processes in place to detect and respond to attack. Based on information provided by SANS we believe they were quick to detect something anomalous happened and responded in ways that mitigated the risk significantly, which is good. SANS indicates they will be providing more information and no doubt this will become part of their training in the future. For more see: