SANS Institute, a provider of cybersecurity training and certification services, lost approximately 28,000 items of personally identifiable information (PII) in a data breach that occurred after a single staff member fell victim to a phishing attack.

According to a notification from SANS Institute, on August 6th, as part of a systematic review of email configuration and rules, the organization identified a suspicious forwarding rule and initiated their incident response process. "This rule was found to have forwarded a number of emails from a specific individual's e-mail account to a suspicious external email address. The forwarded emails included files that contained some subset of email, first name, last name, work title, company name, industry, address, and country of residence. SANS quickly stopped any further release of information from the account," says the SANS Institute. 

As a result, 513 emails were forwarded to a suspicious external email address. As a result, approximately 28,000 records of PII were forwarded to a suspicious external email address, some containing  personally identifiable information (PII).

Upon discovery, the IT and security team, says the organization, removed the forwarding rule and malicious O365 add-in and also scanned for any similar occurrences within all other accounts and across the SANS Institute systems. 

“When a respected security organization, such as SANS Institute, experiences an event like this, it underscores that for many organizations attempting to prevent each and every attack is a fool’s errand and an expensive one at that," comments Tim Wade, Technical Director, CTO Team at Vectra. "The real hallmark of modern security is about resilience to attacks – the capacity to perform timely detection and response before material damage is done even after preventative controls have failed. Additionally, the steps that SANS Institute is taking to both complete a thorough investigation and use the outcome of that activity to further instruct and prepare the rest of the security community should be applauded.”

According to Heather Paunet, Vice President of Product Management at Untangle, phishing emails are the most common way cybercriminals can gain access to the network. "For example, many cybercriminals have turned their efforts to using the latest news about COVID-19 to hide their malicious intent. Cybercriminals are taking advantage of this and increasing their phishing attempts. These emails often appear to be similar to other emails reaching your inbox, but have clearly identifiable signs that they could be spam and malicious."

Paunet adds, "We are in a time where many people need to remain vigilant about their inbox, hovering over links from all email sources to make sure they correspond with the sender’s information, and double-checking who the email is actually from.”

Chris Hazelton, Director of Security Solutions at Lookout, notes that providing immediate feedback to users when they click on a phishing link is key. "Doing so can create a learning experience that could change the future behavior of your users. In fact, in 2019, we found that 44.4 percent of business users only clicked on one mobile phishing link after being immediately notified by Lookout of doing so. Enforcement of training has always been a challenge and now that employees are working from home and leveraging mobile devices more frequently, cybersecurity training programs need to include threats across all endpoints. This includes personal mobile devices," says Hazelton.

Isabelle Dumont, Vice President of Market Engagement at Cowbell Cyber, says that training is an effective approach to dealing with the human element of security. "The format is less important than having regular sessions to change behaviors," notes Dumont. "However, no business is immune to cyber incidents and many of the residual risks can be covered by cyber insurance.”