Campus Alert Archive
Stanford

Akira Breaches the Stanford Department of Public Safety — Then Stanford Has to Alert the Campus

CAinfrastructure failureadvisoryhigh confidence
Confirmed Threat

Stanford confirmed on October 27, 2023 that its Department of Public Safety network had been breached by an unauthorized actor; investigation later attributed the intrusion to the Akira ransomware group, which began posting Stanford data to its dark-web leak site in late October. Final notifications in May 2024 disclosed that personal information of approximately 27,000 individuals had been exposed, with intrusion activity dating back to May 12, 2023. The DPS network is the same one that issues AlertSU messages, raising significant questions about emergency-alert isolation at one of the country's most security-resourced universities.

Alerts
3
Response
min
Killed
0
Injured
0
Institution
Stanford University
Private R1 · CA
~17,246 studentsAlertSU
Confirmed Timeline

Alert Sequence

3 messages in sequence · 1 verified verbatim

Some alert texts below are approximate reconstructions from news coverage, not confirmed verbatim transcripts. Reconstructed texts are shown in italic with a dashed border. Verified verbatim texts have a solid border and are marked accordingly.

INITIAL ALERTEmail
Verified verbatimStanford News — official cybersecurity incident update posted October 27, 2023616 chars
Earlier this fall, the Stanford Department of Public Safety identified a cybersecurity incident involving the Department of Public Safety network. The incident is limited to the Department of Public Safety network and does not impact other parts of the university. Stanford has engaged third-party cybersecurity experts to assist with the investigation. Out of an abundance of caution, the FBI has been notified and we are cooperating fully with law enforcement. Public safety operations have not been impacted, and the university remains open. We will provide additional information as the investigation progresses.
Friday-afternoon disclosure is the standard 'minimize attention' timing — common for organizations announcing a breach they cannot legally avoid disclosing.
Notice asserts containment to the DPS network specifically; later filings would confirm that scope held.
'Public safety operations have not been impacted' is the operative reassurance — the campus alert system is part of DPS but ran on a separate identity tier.
UPDATEEmail+2d
Approximate reconstructionReconstructed from BleepingComputer's reporting on Stanford's October 30 community message499 chars
Stanford is aware that a threat actor has posted information online purporting to be associated with the cybersecurity incident affecting the Department of Public Safety network. We are investigating these claims. As stated previously, the incident has been limited to the DPS network. If we determine that personal information has been impacted, we will notify affected individuals directly. We urge community members not to interact with any links or downloads associated with the posted material.

This text has been reconstructed from news coverage and may not reflect the exact original wording.

Note 'threat actor has posted information online' — Stanford acknowledges the leak without naming Akira, the standard FBI-coordinated approach.
Stanford Daily reporting later confirmed Akira began publishing samples in stages over the following week.
FOLLOW-UPEmail+200d
Approximate reconstructionReconstructed from Stanford's final May 2024 disclosure quoted by The Record and BleepingComputer743 chars
Stanford has completed its investigation into the cybersecurity incident affecting the Department of Public Safety network. We have determined that an unauthorized third party accessed certain files on the DPS network between May 12 and September 27, 2023. The information that may have been accessed includes name, contact information, date of birth, government-issued identification numbers, and in limited cases Social Security numbers, financial account information, and health information. Approximately 27,000 individuals are being notified. Stanford is offering two years of complimentary credit monitoring and identity protection services through Kroll. The Stanford AlertSU emergency notification system was not affected at any point.

This text has been reconstructed from news coverage and may not reflect the exact original wording.

Affirmative statement that AlertSU was not affected — Stanford clearly heard the question about emergency-alert isolation and answered it.
Window from May 12 to September 27, 2023 is a 138-day dwell time, longer than the industry average and consistent with Akira's documented patience.
Context

Background

Stanford's Department of Public Safety operates a separately administered network that handles 911 dispatch, body-worn camera storage, case management, and — adjacent to it — the AlertSU emergency notification platform. On October 27, 2023, Stanford disclosed that an unauthorized party had accessed the DPS network and that the FBI was involved. Three days later, the Akira ransomware group claimed Stanford on its dark-web leak site and began posting samples. In May 2024 Stanford's final notification confirmed approximately 27,000 individuals had personal information exposed, with the attacker active on the DPS network for 138 days from May 12 through September 27, 2023. The university repeatedly stressed that the campus-wide AlertSU mass-notification platform was unaffected — a tacit acknowledgment that the breached DPS network was administratively close to the safety-broadcast system. Stanford did not pay the ransom and was the highest-profile US university victim of Akira in 2023, a year that saw the group claim Knox College, Bluefield, several K-12 districts, and dozens of healthcare systems.
Analysis

Key Findings

Attacker dwell time on the DPS network was 138 days, from May 12 to September 27, 2023 — well above industry medians.
Stanford repeatedly stated that AlertSU was unaffected, an acknowledgment that the breached DPS network and the emergency-alert platform are administratively adjacent.
Approximately 27,000 individuals had personal data exposed, in some cases including Social Security numbers and health information.
Stanford did not pay; data was published to Akira's leak site beginning October 30, 2023.
Outcome
Stanford engaged outside incident-response counsel, notified the FBI, and disclosed publicly on October 27, 2023. AlertSU remained operational throughout. Affected individuals were notified beginning in late winter 2024 and offered two years of credit monitoring through Kroll. Stanford did not pay the ransom.
Provenance

Sources

  1. Official
    Cybersecurity incident update — Stanford News
    news.stanford.edu
  2. national media
    Stanford confirms data breach after Akira ransomware leaks stolen data — BleepingComputer
    bleepingcomputer.com
  3. national media
    Stanford says data of 27,000 individuals leaked in September ransomware attack — BleepingComputer
    bleepingcomputer.com
  4. national media
    Stanford University discloses ransomware incident affecting Department of Public Safety — The Record
    therecord.media
Tags
cyberattackransomwareakiradata-breachdepartment-of-public-safetycaliforniaprivate-r1alert-system-isolationinfrastructure-failure
Added May 2026Updated May 2026Via ingestion