Security training body Sans Institute hit by data breach

The Sans Institute, a provider of cyber security training and certification services, has shown that even security professionals are not immune to compromise, after losing approximately 28,000 items of personally identifiable information (PII) in a data breach that occurred after a single staff member fell victim to a phishing attack.

The organisation, which has established a reputation as one of the most important sources of security training in the world, uncovered the leak on 6 August 2020, when it was conducting a systematic review of its email configuration and rules.

During this process, its IT team spotted a suspicious forwarding rule and a malicious Microsoft Office 365 add-in that together were able to forward 513 emails from a specific individual’s account to an unknown external email address before being detected.

Most of these emails were harmless, but a number included files that contained data including email addresses, first and last names, work titles, company names and details, addresses, and countries of residence. No financial information was included, and Sans said it quickly stopped any further release of information from taking place.

In its disclosure, the organisation said: “We have identified a single phishing email as the vector of the attack. As a result of the email, a single employee’s email account was affected. Aside from the affected user, we currently believe that no other accounts or systems at Sans were compromised.

“We have identified the individuals whose information was exposed and have or will be informing them of the data incident by email. You do not need to take any action apart from continuing to be alert as you would normally be, especially with any unsolicited communications.”

Sans is now conducting a digital forensics investigation headed up by its own cyber security instructors, and is working both to ensure that no other data was compromised and to identify areas it which it can harden its systems.

Once its investigation is complete, it said it plans to share its findings and learnings with the wider cyber security community.

Point3 Security strategy vice-president, Chloé Messdaghi, said: “The takeaway is that we all need to stay aware and humble – if a phishing attack can snag someone at the Sans Institute, it can happen to any of us who let our guard down.

“We might not ever know exactly how the person fell into the trap because they might not share the information, but it could have been a sales email, a message purporting to be from their manager, or on some topic of interest.

“Phishers definitely understand the human element, and they work to understand peoples’ pain points and passions to make their emails more compelling. They also know when to send a phishing email to drive immediate responses,” she said.

Messdaghi added that should the victim prove to be someone involved in Sans’ security operations or working on its IT team, the error might be indicative of stress or even burn-out, something that is increasingly afflicting security professionals, particularly during the coronavirus crisis.