Personal information of 27,000 stolen by Stanford police hackers

BY BRADEN CARTWRIGHT
Daily Post Staff Writer

Hackers of Stanford police have social security numbers, credit card information with security codes, email account passwords, medical information and biometric data from thousands of people, according to a disclosure filed in two states.

The hack of Stanford police, discovered in September but not disclosed to victims until March 11, affected 27,000 people, according to a disclosure Stanford was required to file in Maine.

Stanford Chief Privacy Officer Nelson Akinrinade sent letters to victims telling them what personal information was stolen and offering identify theft protection services and insurance, the disclosure said.

Stolen information could include passport numbers, driver’s license numbers, government IDs, digital signatures and “other information the Department of Public Safety may have collected in its operations,” Stanford said.

Biometric data includes fingerprints and facial scans.

“At this time, there is no evidence that your information has been misused,” Akinrinade said in a sample letter linked in state filings.

Hackers accessed the Stanford police network on May 12 last year, but Stanford didn’t discover the breach until Sept. 27, the disclosure said.

Hackers likely used a fake email to convince a Stanford employee to click a link that encrypted the network’s files and applications, cybersecurity expert Ahmed Banafa said in an interview last year.

Stanford could either pay a ransom in cryptocurrency or rebuild its IT systems from the last time they were backed up, Banafa said.

A hacker group called Akira took credit for the hack on a dark web forum on Oct. 27.

“Stanford is known for its entrepreneurial character, drawing from the legacy of its founders, Jane and Leland Stanford, and its relationship to Silicon Valley,” the post said. “Soon the university will be also known for 430 GB of internal data leaked online.”

The post indicated that Stanford didn’t pay the hackers, Banafa said.

Akira invited people to download the stolen files on the dark web in December.

“We have made the process of downloading company data as simple as possible for our users,” a post from Akira said. “Private information, confidential documents etc. Enjoy!” The post included a link to download the files, with no password needed.

Throughout the hack, the university wouldn’t say anything about what happened, only confirming that the hack was limited to the police and didn’t impact emergency responses.

“The nature and scope of the incident required time to analyze,” the university said in an unsigned statement on Monday.

Potentially impacted people will get a letter in the mail if their mailing addresses are available, Stanford said.

Insurance will reimburse up to $1 million to restore someone’s identity, the letter said.

Three residents were affected in Maine, according to the disclosure. Stanford also filed Akinrinade’s letter in California but the state’s database doesn’t say how many of its residents were affected.