Threat Watch

Data Breach Strikes SANS Security Firm

During a review of its email configuration and rules on August 6th, the cybersecurity training firm SANS discovered that they’d been breached. Alarms were raised when they realized a rule had been set up to forward emails from one employer’s account to an unknown external email address. The incident response team discovered a phishing email which they confirmed to be the source of the attack. While they believe no other accounts at SANS to be compromised, this incident did allow for 513 emails to be forwarded to the attacker’s account. A majority of the emails did not contain any sensitive information, however in the few email messages that did include client data, around 28,000 records containing Personally Identifiable Information (PII) were transferred to the hands of the attacker. Subsets of data included were email, work title, first and last name, work phone, company name, industry, address, and country of residence. SANS removed the forwarding rule and Office 365 add-in that allowed for the issue to occur. SANS also said they will be contacting affected parties via email to notify them if their data was included.

ANALYST NOTES

Any users who receive suspicious emails in their inboxes with attachments or links to websites are advised not to click on them. An alternate method to checking this link would be to open a browser and type the link in directly to the URL bar. Scammers will use seemingly trustworthy company logos and signatures to try to trick users, however, if users are vigilant, they can notice slight variations that are signs that the email or website is a fake.

Source: https://www.darkreading.com/attacks-breaches/sans-security-training-firm-hit-with-data-breach/d/d-id/1338647