SANS Institute, which drills cyber professionals in defense, suffers data breach

A phishing email led to 28,000 PII records being exposed.
SANS institute
Alan Paller, founder of the SANS Institute, pictured in 2017. The SANS Institute announced a data incident on Aug. 11. (Flickr / <a href="">Wisconsin National Guard</a>)

The SANS Institute, which trains cybersecurity professionals around the world, was hacked, resulting in the compromise of 28,000 records of personally identifiable information, the organization said Tuesday.

The Maryland-based research and educational outfit said the breach was the result of a single phishing email sent to a SANS employee, which led to more than 500 of the organization’s emails being forwarded. The breached data included names, email addresses, and physical addresses — information submitted by attendees of a recent SANS virtual training event.

After discovering the breach on Aug. 6, SANS said it “quickly stopped any further release of information” from the compromised email account, which was forwarding the data to an “unknown external email address.” The institute did not identify who was responsible for the hack.

“We are investigating this incident with the support of some of the world’s top forensic experts to be certain that we understand the complete scope of what was accessed,” SANS said in an email to victims of the breach obtained by CyberScoop.


SANS, which says it reaches 165,000 security professionals around the world, is renowned for its training in cyber incident response and penetration testing. The institute has trained countless people in prominent positions at corporations, and has also run cybersecurity exercises for U.S. military personnel. Becoming a SANS instructor is a badge of honor in the cybersecurity industry, and some U.S. government and corporate employees moonlight as instructors.

“[We] deeply regret this attack has happened,” SANS said in its notification email. “When the investigation is complete, we will run a webcast to outline our learnings if there is information that we think would be useful to the community.”

There was no evidence the stolen data had been abused, “but please do be extra careful if you receive any unsolicited communications, particularly if they claim to be from either SANS Institute or GIAC Certifications,” the email said, referring to a global security accreditation run by SANS.

After news of the breach broke, some cybersecurity hands noted the irony of the training guru getting hacked.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts