SANS InfoSec institute loses 28,000 records in phishing attack

SANS is known for providing high-profile and expensive training on InfoSec and cyber security. Oh, the irony.

SANS is known for providing expensive training on InfoSec and cyber security to individuals and institutions.


Sans Infosec has suffered a phishing attack where one staff member fell prey to the scam leading to the disclosure of personally identifiable information. 

Cyber security training services provider SANS Institute became the victim of a data breach losing around 28,000 records of personally identifiable information (PII). Sans institute is regarded as the holy grail of the cyber security industry, which is why this incident raised eyebrows. It indicates that even the world’s best security training firm isn’t invulnerable to data breaches.

In its official notice, SANS explained that the data breach was discovered on 6 August 2020 while the company’s IT team was carrying out a ‘systematic review of its email configuration and rules.’ The team noticed a suspicious forwarding rule along with a malicious Microsoft Office 365 add-in.

These two sources, collectively, forwarded 513 emails from an individual’s email account to an unknown external email ID. The activity was detected only after the email forwarding spree was completed.

See: ‘Zoom account suspended’ phishing scam aims at Office 365 credentials

According to Sans Institute, the forwarded emails contained files, which included details like the email’s subset, first name, last name, company name, work title, address, industry, and country of residence.


However, the company maintains that most of the forwarded emails were harmless, and the PII was part of a considerably lower number of emails.

Moreover, the company confirmed that financial data and passwords weren’t part of any of the files.  It is worth noting that approx. 28,000 records were forwarded to an unidentified email address.

In its disclosure, the company noted that a ‘single phishing email’ was used as the attack vector, which targeted one employee’s email account. SANS has categorically stated that a single employee’s email was affected, and no other accounts or systems were compromised.

See: US Judge falls for email scam; loses $1 million

The affected individuals, whose information was part of the leaked emails, have been identified and asked to remain alert and ignore any ‘unsolicited communications.’ In its security notice, the company added that:

We have identified a single phishing e-mail as the vector of the attack. As a result of the e-mail, a single employee’s email account was impacted. Aside from the affected user, we currently believe that no other accounts or systems at SANS were compromised.


At the moment, SANS is investigating the incident and plans to disclose its findings with the cyber security fraternity soon.

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

Related Posts