During a review of its email configuration and rules on August 6^th, the cybersecurity training firm SANS discovered that they’d been breached. Alarms were raised when they realized a rule had been set up to forward emails from one employer’s account to an unknown external email address. The incident response team discovered a phishing email which they confirmed to be the source of the attack. While they believe no other accounts at SANS to be compromised, this incident did allow for 513 emails to be forwarded to the attacker’s account. A majority of the emails did not contain any sensitive information, however in the few email messages that did include client data, around 28,000 records containing Personally Identifiable Information (PII) were transferred to the hands of the attacker. Subsets of data included were email, work title, first and last name, work phone, company name, industry, address, and country of residence. SANS removed the forwarding rule and Office 365 add-in that allowed for the issue to occur. SANS also said they will be contacting affected parties via email to notify them if their data was included.