Stanford University is notifying thousands of individuals that their personal information was leaked in the late 2023 ransomware attack.
On Sept. 27, 2023, Stanford discovered that a threat actor had breached its Department of Public Safety (DPS) and deployed ransomware. The premier American university reported the cybersecurity incident to federal and local law enforcement authorities and retained the services of a reputable cyber forensics firm.
A subsequent investigation determined threat actors gained access to the Department of Public Safety’s network between May 12, 2023, and September 27, 2023, and exfiltrated data. Stanford’s DPS secured the network shortly after detecting the intrusion and removed the threat actor from its premises.
According to a data breach notification filed with the Office of the Maine Attorney General, the Stanford, California-based university said the ransomware attack impacted 27,000 people.
Stanford University’s ransomware attack leaked sensitive information
Stanford’s investigation determined that threat actors accessed the sensitive personal and medical information of a small subset of impacted individuals.
Although details leaked varied across individuals, they could include date of birth, Social Security number, government ID, passport number, driver’s license number, and other information stored by the Department of Public Safety.
“For a small number of individuals, this information may also have included biometric data, health/medical information, email address with password, username with password, security questions and answers, digital signature, and credit card information with security codes,” the university further disclosed.
However, the attack did not spread beyond the Department of Public Safety’s systems, and the threat actor was quickly ejected from the institution’s systems shortly after detection.
“The incident does not involve any Stanford systems or networks beyond the one used by the Department of Public Safety,” the university said.
So far, no evidence suggests that the stolen information was misused. Stanford has also partnered with IDX to provide the victims with identity theft protection, ID theft recovery, CyberScan services, and a $1,000,000 insurance reimbursement policy.
Additionally, the Department of Public Safety is “enhancing its security safeguards” to prevent a similar incident in the future. The cyber attack is also under investigation by law enforcement authorities.
Stanford only began notifying impacted individuals on March 11, 2024, nearly half a year after it learned of the cyber intrusion. The university justified the notification delay by claiming that the nature and scope of the ransomware attack “required time to analyze.”
“As with many attacks, hackers were able to bypass perimeter defense tools and spend months lurking in the system undetected,” lamented Darren Williams, CEO and Founder of BlackFog. “To really mitigate the risk of data breaches, organizations must look past perimeter defense and focus on protecting the back door with anti-data-exfiltration solutions.”
Stanford University has not attributed the ransomware attack to any cyber group. However, the Russian-based Akira ransomware gang claimed responsibility for the attack and threatened to leak 430 GB of data it allegedly stole from the higher learning institution. The ransomware gang later published the stolen data, suggesting its extortion attempts were unsuccessful.
Stanford University is no stranger to data breaches resulting in personal information exposure. The university dealt with a similar incident in April 2021 when the Clop ransomware gang stole and leaked data after exploiting the Accellion File Transfer Appliance (FTA) vulnerability. The FTA data breach also impacted the University of Colorado and the University of Miami, with their stolen data leaked online.
Education sector targeted by cyber attacks
“Institutions of higher education are prime targets for cyberattacks, standing as vulnerable pillars in the digital landscape,” said Matt Sparrow, Senior Intelligence Operations Analyst at Centripetal. “With the proliferation of BYOD policies and the influx of transient populations, universities are ripe for exploitation. They lack the resources and training to fortify their defenses, facing an annual influx of thousands of new faces, each a potential vulnerability.”
In February 2023, Stanford University also disclosed unauthorized download of the Department of Economics Ph.D. program admission files between December 2022 and January 2023.
Numerous US colleges and K12 schools have suffered Akira ransomware attacks. In April 2023, Bluefield University in Virginia disclosed it was the victim of an apparent Akira ransomware attack. The ransomware group also claimed responsibility for the BridgeValley Community and Technical College attack in West Virginia.
“The attack on Stanford University highlights the need for consistent monitoring of data leaving the network,” William added. “With hackers successfully exfiltrating sensitive data, the victims of this attack will no doubt be dealing with relentless extortion attempts going forward.”