Isn't this ironic: Top cybersecurity firm falls prey to phishing attack

phishing attack
(Image credit: Shutterstock)

Cybersecurity training organization the SANS Institute has disclosed a data breach that saw 28,000 records of personally identifiable information compromised.

The organization said it discovered the breach Aug. 6 after conducting a “systematic review of email configuration and rules”.

Shocking discovery 

It was during this review that the SANS Institute discovered a "suspicious forwarding rule" that it says “forwarded a number of emails from a specific individual's email account to an unknown external email address”.

The SANS Institute provides a range of information-security training, courses and certifications. Thousands of businesses and professionals rely on the organization to increase their understanding and awareness of security threats, so this breach is unfortunately very ironic. 

The firm said in a statement that the breach exposed personal information such as full names, email addresses, phone numbers, job titles, the names of organizations, sector, addresses and country. 

However, emails didn’t expose passwords or credit card numbers, according to the statement. 

It's not clear how many individual persons were affected by this data breach, or whether those persons were SANS employees, current or former SANS students, or other people.

The affected individuals might be subject to an increase in spam or spear-phishing attacks. It's also possible that this might have been a nation-state espionage attack to gather background data on information-security professionals. 

Either way, former SANS students are scattered throughout the cybersecurity industry worldwide. Any leverage the attacker might gain from this data breach could be used in further attacks on the former SANS students' organizations.

Major phishing attack

According to the SANS Institute, 513 emails were forwarded to the “unknown external email address” overall. While the institute claims that “most of these emails were harmless”, it added that “some of these emails contained files with personally identifiable information”.

“We have identified a single phishing email as the vector of the attack. As a result of the e-mail, a single employee's email account was impacted," said the statement. "Aside from the affected user, we currently believe that no other accounts or systems at SANS were compromised."

During its investigation, the organization also found a “malicious” Office 365 add-on alongside the dubious forwarding rule. But these have now been mitigated. 

“Upon discovery of the malicious activity, our IT and security team removed the forwarding rule and malicious O365 add-in," it said. "We have also scanned for any similar occurrences within all other accounts and across our systems. We have found no other indications of compromise." 


Since discovering the data breach, the SANS institute has begun to notify impacted parties via email and has opened an investigation to get to the bottom of the incident.

“SANS digital forensics instructors are heading up the investigation," the institute's statement said. "We are working to ensure that no other information was compromised and to identify opportunities to harden our systems and improve our response. 

“When the investigation is complete, we will run a webcast to outline our learnings if there is information that we think would be useful to the community.”

Data breaches are becoming more common as the digital ecosystem expands rapidly. The best way to protect yourself from these is by setting strong passwords, not rescuing them, using a password manager and downloading one of the best antivirus solutions

  • More: Stay anonymous without the spend with a cheap VPN

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!