Privacy Perils: Data Breach Strikes Cybersecurity Training Company

August 28, 2020
Firm Publication

Most of us have never heard of SANS, a prominent and well-respected cybersecurity training company.  As its website states, “SANS is the most trusted and by far the largest source for information security training in the world.” However, even the organization least likely to experience a data incident can fall victim. On August 11, Bleeping Computer reported SANS disclosed a single successful phishing email that enabled the attacker to set up an email-forwarding rule that transmitted 513 emails containing 28,000 records of personally identifiable information (PII) to a suspicious external email address. To its credit, apparently SANS discovered and disabled the rule quickly, and promptly disclosed the incident. Importantly, SANS was transparent about what had happened. As described in a {ride the lightning} information security blog, SANS turned the event into an educational opportunity by hosting a webcast to “walk through the technical details of the incident, how it happened, our investigation details, current indicators of compromises, and finally our overall lessons learned and security awareness recommendations to prevent these incidents in the future.”

The point? Even those employed at a sophisticated, knowledgeable and cyber-aware organization are not immune to successful cybersecurity attacks. Each of us must continually be mindful and prudent when dealing with our email. Haste can lay waste. Remain alert and attentive, as “[t]he battle, sir, is not to the strong alone; it is to the vigilant, the active, the brave.” – Patrick Henry.
Check out our series, Privacy Perils, to learn what steps you can take to guard your personal and company data. For more information about this topic and other cyber security concerns, please contact Bob Brewer, Tony McFarland, Elizabeth Warren or a member of our Privacy & Data Security team.