Stanford says data from 27,000 people leaked in September ransomware attack

A ransomware gang accessed the personal information of more than 27,000 people on Stanford University servers during a cyberattack last year, the university warned this week.

The California-based school began sending out breach notification letters this week, 10 months after the Akira ransomware gang first compromised the school’s systems.

Stanford University released a statement on Monday saying their investigation uncovered clues indicating the hackers had gained access to the Department of Public Safety’s network from May 12 until September 27, 2023.

“The incident does not involve any Stanford systems or networks beyond the one used by the Department of Public Safety,” the school said, noting that federal and local law enforcement investigations are ongoing.

“The personal information that may have been affected varies from person to person but could include date of birth, Social Security number, government ID, passport number, driver’s license number, and other information the Department of Public Safety may have collected in its operations.”

The statement adds that for an additional group of victims, some “biometric data, health/medical information, email address with password, username with password, security questions and answers, digital signature, and credit card information with security codes” may have been accessed by the hackers.

In documents filed with regulators in Maine, the school said the large time gap between the attack and the notification was because the incident “required time to analyze.”

Victims will be offered two years of free identity protection services.

The Akira ransomware gang claimed that it stole 430 gigabytes of data in the attack. The gang targeted several U.S. colleges and K-12 schools in 2023 after emerging last March.

Stanford University previously dealt with a cybersecurity incident in 2021, when the Clop ransomware gang stole and leaked personal information obtained through a vulnerability in the Accellion File Transfer Appliance (FTA) software. The breach involved Social Security numbers and more taken from Stanford Medicine.