Hackers have leaked stolen data belonging to members of the Stanford community — including Social Security numbers, addresses, emails, family members and financial information — after obtaining the data from a compromised file transfer system used by Stanford Medicine.
The leaked Stanford data is part of a massive data breach affecting numerous businesses and universities that targeted a widely-used file transfer service, Accellion, used by the University.
A University employee confirmed the leak to an individual whose data was included in the breach.
In a statement to The Daily on Thursday, School of Medicine spokesperson Julie Grecius said that Stanford is investigating the incident and has reported it to law enforcement.
By Wednesday, hackers had published links to download information allegedly stolen from Stanford and numerous other schools and businesses. Although Greicius stopped short of confirming the veracity of the data, The Daily has independently verified a subset of the data to be authentic.
“We are working to determine whether individuals’ personal data has been affected, and we will notify any affected individuals,” Greicius wrote.
However, an individual whose data was included in the breach told The Daily on Thursday that they were not contacted by the University until they filed an incident report themselves.
On Friday, Stanford Medicine chief financial officer Randy Livingston and Stanford Medicine dean Lloyd Minor confirmed the breach in an email to the Stanford community. They said that Stanford was analyzing the stolen data with the help of a “leading cyber-forensics firm” and announced that updates would be shared on a dedicated webpage.
Stanford did not respond to The Daily’s questions asking about the extent of the data breach, whether patients at Stanford’s hospitals were affected, when Stanford was made aware of the data breach and what measures the University is taking to secure the stolen data.
Other universities and businesses listed on the website — including Shell, University of California Berkeley, Los Angeles, Davis, the University of Colorado and the University of Miami — confirmed over the past week that their data was compromised. Some targeted institutions received ransom demands to stop the release of more stolen data.
According to Accellion, the hackers targeted a 20-year-old legacy service, Accellion File Transfer Appliance (FTA), that was due to be discontinued in April 2021. The company announced in December and January that they had discovered vulnerabilities in FTA and encouraged customers to update to their modern platform for higher security.
Stanford Medicine used the Accellion platform for its MedSecureSend system, which was used to transfer data including credit, debit or prepaid card data and protected health data that are classified as “high risk” by the University.
“If you’re looking for a good way to securely send large files now and then, especially to collaborators outside of Stanford, use MedSecureSend (MSS),” the University wrote on a page that has since been removed.
MedSecureSend’s landing page now displays a message saying that “MedSecureSend is off line due to a critical security issue.”
“This is a 20 year old legacy system. And these are notoriously insecure,” said security researcher Jack Cable ’22, who has been recognized by Google, Facebook and the Department of Defense for discovering security vulnerabilities. “This is something that’s endemic across probably all universities and large companies, in that they’re dependent on software that is really old and is likely pretty vulnerable. That’s why we’re seeing so many breaches.”
In announcements last week, UC Davis, the University of Colorado and the University of Miami recommended that students and staff place fraud alerts with a credit reporting agency and freeze their credit reports.
Stanford will offer identity theft protection services to affected individuals, and community members should report suspected identity theft to Stanford’s Privacy Offices, Livingston and Minor said. Individuals associated with Stanford’s hospitals can report suspected incidents to [email protected].
This article has been updated to include information from an email announcement sent to the campus community on Friday.