Higher Education

Stanford failed to detect fall cyberattack for 4 months

Stanford University leaders said breached personal information includes birthdates, Social Security numbers, government IDs, passport numbers and driver’s license numbers.

By Skylar Rispens

March 14, 2024

Stanford University campus (Philip Pacheco / Getty Images)

Stanford University provided more details this week on a ransomware attack that was originally reported this past fall in which more than 430 gigabytes of data was stolen from the higher education institution.

According to a Monday announcement, “unauthorized individual(s)” originally gained access to the university Department of Public Safety’s network in May 2023, but went undetected for four months until Sept. 27, 2023. The university did not publicly disclose the cybersecurity incident until Oct. 27. The Akira ransomware group claimed credit for the attack.

“The unauthorized access was ended and the network was secured shortly after the unauthorized access was first discovered,” Stanford’s announcement reads. “The incident does not involve any Stanford systems or networks beyond the one used by the Department of Public Safety. Also, at this time there is no evidence that the access information has been misused.”

University leaders are conducting a forensic investigation and will notify individuals whose data may have been impacted by the security breach “to the extent mailing addresses are available,” according to the update. The Register reported that Stanford sent data breach notices to about 27,000 people. Stanford leaders have meanwhile said that law enforcement is continuing to investigate the incident.

The affected personal information varies by individual, the university said, but could include birthdates, Social Security numbers, government IDs, passport numbers, driver’s license numbers, among other sensitive data collected for the operations of the Department of Public Safety.

“For a small number of individuals, this information may also have included biometric data, health/medical information, email address with password, username with password, security questions and answers, digital signature and credit card information with security codes,” the Stanford update read.

Separately, in the spring of 2021, Stanford files — including names, addresses, financial information and Social Security numbers — appeared on a website owned by actors believed to be responsible for a data breach at the university following the compromise of a file-transfer application created by Accellion, which has since renamed to Kiteworks.