SANs Institute lost 28,000 records of PII

On Aug 6, 2020, the SANS Institute reported a data incident that caused  513 employee emails from Microsoft Outlook 365 to be forwarded to an unknown external email address. SANS Institute specializes in information security, cybersecurity training, and selling certificates. The exposed emails contained 28,000 records of customer personally identifiable information (PII). The data incident was caused  by a phishing email that maliciously gave an O365 Add-In access to forward emails to a 3rd party.  A representative at SANS stated, “We have identified a single phishing email as the vector of the attack. As a result of the email, a single employee’s email account was affected. Aside from the affected user, we currently believe that no other accounts or systems at SANS were compromised. ”

They stated affected parties have been notified by email and no passwords or account information was lost. You can read more about the incident here.

Courtesy of support.microsoft.com

The important thing to take away from this unfortunate incident is that companies of all sizes can use this as a teachable moment.

Lessons you can learn from this incident

  1. Audit Email Rules.
  2. Audit Auto Forwarding Rules.
  3. Audit Add-Ins - Go to the Microsoft Admin Center -> Settings -> Add-ins
  4. Most importantly, educate your end-users about phishing attacks. This training should be continuous and personalized.

Phishing attacks are becoming more sophisticated and anyone can fall victim to them if they do not stay vigilant. HacWare's smart security awareness software automates this task for you at scale.


HacWare measures risky behaviors and automates personalized cybersecurity education to combat phishing attacks. HacWare's smart technology can reduce your phishing responses by 60%.

Learn more about HacWare at www.hacware.com.