Stanford University is investigating an alleged data breach after the Akira ransomware gang claimed it breached the institution and exfiltrated 430 GB of data, including private information and confidential documents.
“Stanford is known for its entrepreneurial character, drawing from the legacy of its founders, Jane and Leland Stanford, and its relationship to Silicon Valley,” Akira wrote. “Soon the university will be also known for 430 GB of internal data leaked online.”
The group demanded an undisclosed ransomware amount and threatened to leak the stolen data if the university failed to comply. Akira typically demands extortion amounts ranging from $200,000 to $4 million.
Stanford University data breach is under investigation
Stanford University has not confirmed whether it received Akira’s ransom demands but indicated that it was investigating a cybersecurity incident.
“We are continuing to investigate a cybersecurity incident at the Stanford University Department of Public Safety (SUDPS) to determine the extent of what may have been impacted,” the university posted.
The university disclosed that the cyber incident did not disrupt its daily operations or spread to other departments. However, the number of individuals impacted by the data breach was still undetermined.
“Based on our investigation to date, there is no indication that the incident affected any other part of the university, nor did it impact police response to emergencies. The impacted SUDPS system has been secured,” the university said.
Maintaining that the integrity of its information systems was a priority, the university said it was working with external security specialists to understand the scope of the data breach.
“Our privacy and information security teams have been giving this matter their concerted attention, in coordination with outside specialists,” Stanford University said. “The investigation is ongoing and once it is completed, we will act accordingly and be able to share more information with the community.”
The Akira ransomware group did not disclose the attack vector exploited or the nature of the information stolen.
However, SUDPS handles crime reports, risk evaluations, and students’ and faculty members’ personal information. Disclosing this information could negatively impact the victims.
Subsequently, Stanford University could be compelled to pay the ransom to minimize the chances of sensitive information leaking to the public. However, ransom payment does not guarantee that the threat actors will not misuse or share the stolen data.
Craig Harber, a Security Evangelist at Open Systems, said the Stanford University data breach might be related to other incidents reported at the institution.
“This cyber incident may be related to several other events at Stanford University this year, including a reported breach of the University’s Department of Public Safety firewall and another incident involving third-party software,” Harber said. “These prior incidents could indicate a stealthy campaign by the hacker to remain hidden while they covertly discover and collect sensitive information,” noted Harber.
Andrew Costis, Chapter Lead of the Adversary Research Team at AttackIQ, said the Stanford data breach highlighted the need for universities to evaluate their cybersecurity defenses, identify any gaps that threat actors could exploit, and develop a more preventative approach.
Past security incidents at Stanford University
Stanford University is no stranger to data breaches resulting in personal information disclosure. Since 2021, the university has suffered three data breaches, with the Clop ransomware gang breaching the institution twice.
In April 2021, the university disclosed that it suffered an Accellion FTA data breach at the Stanford University School of Medicine.
First detected in March 2023, Akira ransomware indiscriminately attacks all sectors, including healthcare, governments, critical infrastructure, and education (K-12 schools, school districts, colleges, and universities). Within six months, the group has compromised over 63 victims, primarily small and medium-sized businesses (SMBs).
Security experts believe the Akira ransomware gang branched from the defunct Conti ransomware operation due to overlapping crypto wallets and source code. The group uses compromised credentials, unsecured and vulnerable virtual private networks (VPN), and phishing to breach corporate networks.