Cyber Incident Victim: SANS Institute

On August 6, 2020, the SANS Institute, a prominent cybersecurity training organization, discovered a data breach during a routine review of its email configuration systems. The breach originated from a phishing attack targeting a single employee, whose compromised email account allowed threat actors to establish persistent access. Attackers configured a rule within the account to forward all incoming emails—totaling 513 messages—to an external email address under their control. They also installed a malicious add-on within the Office 365 environment to facilitate data exfiltration. The forwarded emails contained approximately 28,000 records of personally identifiable information (PII) belonging to SANS members, including full names, email addresses, phone numbers, physical addresses, job titles, and company affiliations. No passwords, financial data, or credit card information was exposed in the incident. SANS attributed the breach solely to the phishing email’s success in compromising the employee’s account, with no evidence of broader system infiltration beyond the targeted mailbox.

SANS mobilized its internal cybersecurity instructors, including digital forensics experts, to lead the investigation and containment efforts. The response focused on identifying the attack’s scope, eliminating the malicious email-forwarding rule and add-on, and hardening email security configurations to prevent recurrence. Affected individuals received direct notifications advising vigilance against targeted phishing campaigns leveraging the stolen PII. The organization committed to sharing technical findings from its investigation via a future webcast, intending to translate the incident into actionable insights for the broader security community. No additional compromises or systemic vulnerabilities were identified during the investigation, confirming the breach’s isolation to the initially compromised account and its forwarded email data.