SANS cybersecurity training firm suffers data breach due to phishing attack

The breach compromised 28,000 records, exposing such data as names, phone numbers, physical addresses, and email addresses.

phishing

Image: weerapatkiatdumrong, Getty Images/iStockphoto

A company that offers cybersecurity training has found itself the victim of a cyberattack. On Aug. 6, security training firm SANS Institute discovered a data breach of approximately 28,000 records as the result of one successful phishing attack against a single employee.

SEE: Fighting social media phishing attacks: 10 tips (free PDF) (TechRepublic) 

Disclosing the incident in a website post, SANS said that a total of 513 emails were forwarded to an unknown external email address. Most of these emails were "harmless," according to the company. But some contained files with personally identifiable information (PII), pointing to the 28,000 records that were compromised.

SANS revealed that it found the following types of breached PII: email address, work title, first name, last name, work phone, company name, industry, address, and country of residence. However, it uncovered no evidence that passwords or financial data such as credit card numbers were compromised. SANS said it has identified the people whose accounts were compromised and will be contacting them by email.

Detecting the incident during a systematic review of its email configuration and rules, SANS said it uncovered a suspicious forwarding rule that was directing emails from an individual internal account to the unknown external account. Beyond the one individual account, the company said it doesn't believe any other accounts or systems were affected.

However, there is a certain alarm that a cybersecurity training firm should itself be caught in a security incident, even if due to the actions of a single employee.

"The breach of SANS highlights that no organization is immune from compromise, even those that specialize in information security," said Chris Clements, VP of solutions architecture for Cerberus Sentinel. "We don't know if SANS had two-factor authentication enforced, or if the attacker was able to bypass those controls if in place. It is surprising that an organization like SANS would suffer such a large breach and that the compromise was not detected until a supposedly unrelated review of email configurations was taken."

After finding the activity, SANS said its IT and security team deleted the forwarding rule as well as a malicious O365 add-in. The company scanned other accounts for similar issues but said it found no other areas that were compromised.

Moving forward, SANS forensics instructors are investigating the incident to make sure no other data was affected and to find ways to improve its security defenses. Once the investigation concludes, the company said it plans to run a webcast to discuss its findings.

With many people working from home with all the usual distractions, focusing on security can be a more challenging task. Phishing attacks in particular rely on users who fail to investigate a suspicious email before responding to it.

"These days, we're distracted and simply not paying as much attention as we usually might," said Lisa Plaggemier, chief strategy officer at MediaPro. "Pressure to 'act now' is one of the signals to look for in a Business Email Compromise (BEC)—a phish that looks like it's coming from a supervisor or business contact asking you to transfer money, pay an invoice, etc. We're hungry for the latest news, so we may be more likely to open and click on an email that mimics a legit email."

But with remote working, the proper training is more essential than ever. In the case of phishing attacks, training should include phishing simulations where employees are taught how to respond to suspicious emails.

"Enforcement of training has always been a challenge, but not being able to walk down the hall and remind employees to complete training makes things extra difficult," said Chris Hazelton, director of security solutions at Lookout. "Security teams could use more of a stick versus the carrot approach, such as temporarily blocking access to some corporate resources for users and devices that are out of compliance. Now that employees are working from home and leveraging mobile devices more frequently, cybersecurity training programs need to include threats across all endpoints including personal mobile devices."

Also see

By Lance Whitney

Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.