The SANS Institute has disclosed a security incident which resulted in 28,000 records of personally identifiable information (PII) being forwarded to an unknown email address.
The breach was discovered on August 6, during the review of email configuration and rules, according to the U.S.-based organization, which specializes in cybersecurity training, certifications and research.
During the audit, the company identified a forwarding rule on one email account, meant to forward emails to an unknown external address. The rule impacted one individual’s account only, SANS explains.
The messages that were sent externally included files containing information such as first and last name, email address, physical address, country of residence, work phone, work title, company name, and industry.
The incident did not impact passwords or financial information such as credit card data.
“SANS quickly stopped any further release of information from the account,” the company says.
Before the leak was identified, however, a total of 513 emails were forwarded to the external email address, the majority of which did not include important information.
“Most of these emails were harmless, but some of these emails contained files with personally identifiable information (PII). As a result, approximately 28,000 records of PII were forwarded to an unknown external email address,” SANS reveals.
The company also says that a phishing email was found to be the initial attack vector, and that a single employee’s email account was affected, with no other accounts or systems compromised.
“Upon discovery of the malicious activity, our IT and security team removed the forwarding rule and malicious O365 add-in. We have also scanned for any similar occurrences within all other accounts and across our systems. We have found no other indications of compromise,” SANS says.
The company also noted that it identified the individuals that were affected by the information leak and that it is already in the process of informing them about the incident.
SANS says the investigation into the incident continues, in an effort to ensure that no additional information was compromised and to improve the security of its systems.