Security Experts:

Connect with us

Hi, what are you looking for?



SANS Institute Says 28,000 User Records Exposed in Email Breach

The SANS Institute has disclosed a security incident which resulted in 28,000 records of personally identifiable information (PII) being forwarded to an unknown email address.

The SANS Institute has disclosed a security incident which resulted in 28,000 records of personally identifiable information (PII) being forwarded to an unknown email address.

The breach was discovered on August 6, during the review of email configuration and rules, according to the U.S.-based organization, which specializes in cybersecurity training, certifications and research.

During the audit, the company identified a forwarding rule on one email account, meant to forward emails to an unknown external address. The rule impacted one individual’s account only, SANS explains.

The messages that were sent externally included files containing information such as first and last name, email address, physical address, country of residence, work phone, work title, company name, and industry.

The incident did not impact passwords or financial information such as credit card data.

“SANS quickly stopped any further release of information from the account,” the company says.

Before the leak was identified, however, a total of 513 emails were forwarded to the external email address, the majority of which did not include important information.

“Most of these emails were harmless, but some of these emails contained files with personally identifiable information (PII). As a result, approximately 28,000 records of PII were forwarded to an unknown external email address,” SANS reveals.

The company also says that a phishing email was found to be the initial attack vector, and that a single employee’s email account was affected, with no other accounts or systems compromised.

“Upon discovery of the malicious activity, our IT and security team removed the forwarding rule and malicious O365 add-in. We have also scanned for any similar occurrences within all other accounts and across our systems. We have found no other indications of compromise,” SANS says.

The company also noted that it identified the individuals that were affected by the information leak and that it is already in the process of informing them about the incident.

SANS says the investigation into the incident continues, in an effort to ensure that no additional information was compromised and to improve the security of its systems.

Related: LiveAuctioneers Data Breach Impacts 3.4 Million Users

Related: Cognizant Says Data Was Stolen in April Ransomware Attack

Related: San Francisco Employees’ Retirement System Discloses Data Breach

Related: Amtrak Discloses Security Incident Involving Guest Reward Accounts

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.