Sans Institute phishing attack: Hackers exfiltrated 28,000 data records

Cyber security training and certifications provider Sans Institute recently suffered a data breach after an employee fell victim to a phishing email that allowed attackers to steal around 28,000 personal data records of the institute's employees.

The breach was discovered by the Sans Institute on 6th August when it was conducting a systematic review of email configuration and rules. During its review, the institute found a suspicious forwarding rule associated with an email account as well as a malicious Ofice365 add-in that contributed to 513 emails getting forwarded to a suspicious external email address.

Some of the emails that were forwarded to an external email address contained a lot of personal information such as emails, work titles, first and last names, work phone numbers, company names, addresses, and country of residence of Sans Institute employees. However, these emails did not contain passwords or financial information of the institute's employees.

"We have identified a single phishing e-mail as the vector of the attack," the institute said in a press release, adding that "approximately 28,000 records of PII were forwarded to a suspicious external email address" and that "no other accounts or systems at SANS were compromised".

"Upon discovery of the malicious activity, our IT and security team removed the forwarding rule and malicious O365 add-in. We have also scanned for any similar occurrences within all other accounts and across our systems. We have found no other indications of compromise.

"SANS digital forensics instructors are heading up the investigation. We are working to ensure that no other information was compromised and to identify opportunities to harden our systems and improve our response. When the investigation is complete, we will run a webcast to outline our learnings if there is information that we think would be useful to the community," it added.

Commenting on the data security incident suffered by the Sans Institute, Ilia Kolochenko, founder & CEO of ImmuniWeb, told Teiss that like many others, SANS seems to fall victim to unforeseen work from home (WFH) measures that have undermined many security mechanisms and controls readily available in the office.

"The breach of one single email, however, should not lead to such a significant exposure of PII data, even if it’s a drop in the ocean of disclosed data breaches from the last 18 months. Attackers will now gradually focus their attention on cybersecurity companies and organisations to get their clients' privileged information or credentials," he added.

ALSO READ: Internal NCC training data and CREST exam questions leaked on Github

Copyright Lyonsdown Limited 2020