back to article Irony, thy name is SANS: 28k records nicked from infosec training org after staffer's email account phished

Cybersecurity training organisation the SANS Institute suffered the loss of 28,000 items of personally identifiable information (PII) after a staffer's email account was accessed by malicious people. SANS published some details of the breach on its website. One person was phished, leading to the compromise of their email …

  1. Graham Cunningham

    Eh, what?

    "We are working to ensure that no other information was compromised"

    "Ensure" is a very reassuring word. But how, exactly, can that be done? How are they going to unleak any other information that they find was leaked? Did they, by any chance, mean, "We are working hard to figure out whether any other information was compromised"? That is a necessary, and more achievable, but ultimately much less reassuring aspiration.

    1. Roland6 Silver badge

      Re: Eh, what?

      Only discovered on 6th August 2020...

      I'll need to look back through my mail archive as it was some months ago (pre-UK lockdown) that I received a scam email that disclosed the password I only used for SANS...

      Can't remember if I sent an email/complete a contact us webform notifying SANS of a potential breech...

      1. Roland6 Silver badge

        Re: Eh, what?

        Just looked back through my machine, my mailbox rule have deleted the original spam email...

        But my web browsing records indicate it was received on the 18-Mar (lockdown started 16-Mar).

        Also, I didn't register for the virtual DFIR Summit.

        However, as my account was just for my email communications preferences (with no option to change the password), I suspect Sans don't know the full extent of the breech....

    2. Doctor Syntax Silver badge

      Re: Eh, what?

      It's not very reassuring that they don't know the difference.

  2. Lee D Silver badge

    Since when have people's emails been "largely available in public databases"?

    1. Doctor Syntax Silver badge

      I think they meant spam lists.

    2. gnwiii

      Public databases with emails and phone numbers

      "The Government Electronic Directory Services (GEDS) provides a directory of public servants across Canada.

      Information in this directory is supplied by individual federal government departments and agencies and updated by one or more data administrators within each department.

      Some departments do not list all their employees."

      If you publish in journals, author names and email addresses are generally included.

    3. Pu02

      Email address was probably the first digital attribute used to productise us

      If you work for a significant organisation, its emails, and yours (if sent from the Org's domain) are stored and published in indirect ways by social sites run by the Borg, Redmond and emzillions of others.

      There are site crawlers that work to collect and maintain them. Most promote a 'reliability' score out of 100 and on-sell access to anyone.

      Not to mention a global industry of 'contact' and 'list maintenance' services, ever since 'telemetry' became an accepted, ubiquitous thing. Let alone data exfiltrators feeding all the online anonymous vendors.

  3. williamsth

    Information in public database

    So glad to see the info was in a public database. That makes it all better then!

  4. A. Ott

    Publicly Available Already, That's Alright Then

    Whatever happened to the organization's duty of care to protect PII in it's own database(s) whether it is available in some other organzation's data assets or not? Whatever happened to the notion of a zero trust network? After all, SANS was promoting those principals as recently as April 21 of this year ...

  5. cd

    Is there a way that an email client could collect attachments into a secure local storage and reference those in the original email?

    1. tfewster

      Or don't email PII. Send a link to a file that needs you to have authenticated to the network via a VPN using MFA. Y'know, basic stuff that any security conscious organisation would do.

      And that's a pretty weak statement from SANS - very disappointing.


    Glad that I signed up

    Glad that I signed up using my John Mcafee alias. Whew. Seriously I did get my unique email address for this spammed over the past few months. Probably more to this story as is typical when releasing news on a data breach givaway.

  7. Anonymous Coward
    Anonymous Coward

    What a waste of money then, one course of 4 days picked at random 7085.00EUR !!

    1. hmv

      Have you ever been on a SANS course? I have and they're definitely a bit more intensive than the run of the mill courses you sometimes get. Yes they're expensive which is partially because their trainers are security practitioners who work in the industry, although I dare say there's a bit of market gouging going on.

  8. Jedit Silver badge

    "Cybersecurity training organisation the SANS Institute"

    I hope everyone has learned a valuable lesson here: never use comic SANS in a business context.

  9. taxman


    The words hoisted and petard come to mind on reading this news item, but then again it really just goes to show that what is taught and tested to those of us who pay should also be preached and tested to those who are employed (consultants and full time staff) by SANS.

    Perhaps SANS should in future make it a condition that all their employed staff undertake and pass their own courses in addition to putting in robust measures to filter or indicate potential "bad" emails?

    1. jtaylor

      Re: Suprise!!!!!

      I'm not at all surprised. Humans are complex and fallible. And security is relative, not absolute.

      We know there was a minor breach at SANS. We don't know how much effort was applied to create that breach. It's hard to say what countermeasures would have prevented this.

      SANS has some extremely capable people. "Don't teach your grandmother to suck eggs."

  10. Potemkine! Silver badge

    Another lesson

    No one is safe, even a cybersecurity-oriented company.

    They were lucky this time it wasn't a ransomware. Be sure to have offline backups and test to restore them regularly.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like