University notifies individuals impacted by SUDPS hack

Stanford has started to reach out to 27,000 individuals whose personal information was stolen by ransomware group Akira’s attack on the Department of Public Safety (DPS) discovered last September. The incident was isolated to systems and networks used by DPS, and did not involve any other parts of Stanford’s digital infrastructure.  

There is currently no evidence that the accessed information was misused, the University wrote in a March 11 update.

Akira previously threatened to leak the stolen data if the University did not pay an unspecified ransom. The Daily previously reached out to Akira representatives for comment on the scope and legitimacy of the listing through an anonymous portal. Representatives did not respond to the request.

Three impacted individuals in Maine were notified on March 11. Pursuant to Maine state law, Stanford also filed a data breach notification with the Maine Attorney General. 

Individuals started to receive notification letters earlier this week from the Stanford University Chief Privacy Officer, Nelson Akinrinade. Mailed notifications were delivered to anyone with an available mailing addresses. 

Identity protection services are available without cost to individuals who were affected. The University offered protection through IDX, which includes a $1,000,000 insurance reimbursement policy and fully managed ID theft recovery services.

The deadline to enroll in IDX services is June 11, 2024. 

Potential leaked information include names and personal information, like social security numbers, government IDs, passport numbers and driver’s licenses of impacted individuals. 

According to the University, the biometric data, health and medical information, email address with password, username with password, security questions and answers, digital signature and credit card information with security codes may also have been leaked for a small number of people.

Some impacted individuals were potentially minors, based on notification letters addressed to parents and guardians.

Law enforcement continues to investigate the incident, but established that the breach occurred between May 12, 2023 and Sept. 27, 2023. 

Shortly after the breach was discovered, federal and local law enforcement collaborated with external cybersecurity experts to terminate Akira’s access. According to the notification letter, DPS started work to improve safeguards.

“We take safeguarding your information seriously,” Akinrinade wrote.