Stanford University Failed To Detect Ransomware Intruders For 4 Months

Connor Jones reports via The Register: Stanford University says the cybersecurity incident it dealt with last year was indeed ransomware, which it failed to spot for more than four months. Keen readers of El Reg may remember the story breaking toward the end of October 2023 after Akira posted Stanford to its shame site, with the university subsequently issuing a statement simply explaining that it was investigating an incident, avoiding the dreaded R word. Well, surprise, surprise, ransomware was involved, according to a data breach notice sent out to the 27,000 people affected by the attack.

Akira targeted the university's Department of Public Safety (DPS) and this week's filing with the Office of the Maine Attorney General indicates that Stanford became aware of the incident on September 27, more than four months after the initial breach took place. According to Monday's filing, the data breach occurred on May 12 2023 but was only discovered on September 27 of last year, raising questions about whether the attacker(s) was inside the network the entire time and why it took so long to spot the intrusion.

It's not fully clear what information was compromised, but the draft letters include placeholders for three different variables. However, the filing with Maine's AG suggests names and social security numbers are among the data types to have been stolen. All affected individuals have been offered 24 months of free credit monitoring, including access to a $1 million insurance reimbursement policy and ID theft recovery services. Akira's post dedicated to Stanford on its leak site claims it stole 430 GB worth of data, including personal information and confidential documents. It's all available to download via a torrent file and the fact it remains available for download suggests the research university didn't pay whatever ransom the attackers demanded.

Re:Alright

[belmolis]

Administrative IT management has nothing to do with the Computer Science department, or for that matter, with any academic department. There is no relationship between the quality of education that students receive and the quality of IT management.

Re:Alright

[gweihir]

Indeed. I keep telling the IT department of one of the places that I teach IT security at to stop doing forced password changes (with references), because I have to tell my students that they are doing it wrong and that is embarrassing. They keep telling me they are unable to change their security concept.

Re:

[jhoegl]

Weird because current standards are to not change the password combined with 2FA.

That should be deployable in any environment, including one where students filter in and out all the time.

Also, when I was in college, hacking the network was a fun side thing people did.

Re:

[gweihir]

You are too kind. I would call it "incompetent". And that 2FA is activated. It is all o365 and derived authentication.

Hmm, maybe I should point _that_ out to my IT Security students as the core problem. I mean, more than I already do.
 

Re:

[Anonymous Coward]

IT != CS or engineering. In my experience, IT is usually about getting the lowest-price boneheads, likely contractors, with everything else managed overseas, with just enough IQ so that stuff barely runs and that the university doesn't run afoul of FERPA or HIPAA. Generally, if they are asked to do -anything- that might be an edge case, the university is going to have to re-negotiate the entire contract for the out-of-scope work, even if this means touching anything non-Windows. And these contracted-out

Re:

[Anonymous Coward]

Ah Stanford. I took a summer class there. The adjacent desk had a carved-in and inked drawing of a penis, with the word "Splooge" emerging from the tip.

Re:

[vbdasc]

Just shows that Stanford is teaching excellent creative arts.

Re:

[ArchieBunker]

Future republicans then?

Not enough enforcement.

[TheNameOfNick]

Find the asshats and make sure they never do it again, in whatever country they are.

Re:

[ShanghaiBill]

Find the asshats and make sure they never do it again, in whatever country they are.

Nonsense.

If your house is repeatedly burgled, the solution is to put a lock on the door, not build more prisons.

Re:

[TheNameOfNick]

The solution to crime isn't to eliminate every opportunity for it, and never has been, because that's inefficient and ultimately impossible. If your home is burgled, then I hope you get victim-blamed too.

our tools suck

[awwshit]

OS and app software are super buggy. The tools that we have to find these things are reactionary and suck at finding novel software issues, they'll be sure to make it find something they know about ahead of time. You can blame IT but they are not clairvoyant.

Stop clicking on scams people!

Re:

[data oyster]

searched google lately? The results are a scam unless you toggle to tools then verbatim. They don't even have the decency to tell you upfront.

Two stories in a row today

[rbrander]

...that would both not be stories if crypto were just !@#$$ing illegal.

Stanford is not in Maine

[call -151]

Does anyone know why the Maine Attorney General is involved? Palo Alto is pretty fair from Maine and I didn't see any explanation in the article. Does Maine have better disclosure laws than other states? There is a filing which includes:

Total number of persons affected (including residents): 27000
Total number of Maine residents affected: 3
If the number of Maine residents exceeds 1,000, have the consumer reporting agencies been notified:
Date(s) Breach Occured: 05/12/2023
Date Breach Discovered: 09/27/2023

s

Strange behavior by ransom demanders

[Leading Edge Boomer]

Don't perps who hold someone/something for ransome leave a ransom note or otherwise communicate with those they are demanding from? As written, this is very strange.

S H U M

[Plugh]

Silly people using the wrong tool for the job. SHUM.