Skip links

Stanford University failed to detect ransomware intruders for 4 months

Stanford University says the cybersecurity incident it dealt with last year was indeed ransomware, which it failed to spot for more than four months.

Keen readers of El Reg may remember the story breaking toward the end of October 2023 after Akira posted Stanford to its shame site, with the university subsequently issuing a statement simply explaining that it was investigating an incident, avoiding the dreaded R word.

Well, surprise, surprise, ransomware was involved, according to a data breach notice sent out to the 27,000 people affected by the attack.

Akira targeted the university’s Department of Public Safety (DPS) and this week’s filing with the Office of the Maine Attorney General indicates that Stanford became aware of the incident on September 27, more than four months after the initial breach took place.

According to Monday’s filing, the data breach occurred on May 12 2023 but was only discovered on September 27 of last year, raising questions about whether the attacker(s) was inside the network the entire time and why it took so long to spot the intrusion.

We asked Stanford University for comment on the matter but it didn’t immediately respond.

It’s not fully clear what information was compromised, but the draft letters include placeholders for three different variables. However, the filing with Maine’s AG suggests names and social security numbers are among the data types to have been stolen.

All affected individuals have been offered 24 months of free credit monitoring, including access to a $1 million insurance reimbursement policy and ID theft recovery services.

“We take safeguarding your information seriously,” the letter to affected individuals reads. “Upon discovering the incident, we notified federal and local law enforcement and worked with external cybersecurity experts to terminate the unauthorized access. Stanford DPS is also further enhancing its security safeguards.”

The uni added: “We encourage you to take full advantage of this service offering. IDX can answer questions or concerns you may have regarding protection of your personal information. As always, please remain vigilant and continue reviewing your accounts for unusual activity. You can also review the enclosed steps to help protect your personal information.”

Akira’s post dedicated to Stanford on its leak site claims it stole 430 GB worth of data, including personal information and confidential documents.

It’s all available to download via a torrent file and the fact it remains available for download suggests the research university didn’t pay whatever ransom the attackers demanded.

Akira has been in operation since March 2023 and according to previous negotiations with anonymized victims that have since been published online, the group’s ransom demands were varied, from multiple millions of dollars to low six-figure sums.

It has claimed responsibility for major attacks on organizations including the Toronto Zoo, Nissan Australia, Mercer University, bath bomb slinger Lush, and more.

Researchers also pinpointed Akira, along with 8Base, as one of the ransomware gangs to watch in 2024 as criminals vie for the “top dog” spot now LockBit and ALPHV have been shuttered by law enforcement. ®