Copyright phillyvoice
The hacker group that has claimed responsibility for the University of Pennsylvania data breach says it gained personal data about former President Joe Biden, who has a think tank at the Ivy League school, and former university President Liz Magill. The hackers, who also claim they sent out the disparaging email received Friday by Penn students and alumni, told The Verge that their primary goal was to "get the wealthy donor database." "A lot of the reporting has framed this (cyberattack) as primarily 'anti-DEI' motivated but A) we think Penn ... tipping the scales in favor of legacies and donors is equally if not more egregious than its affirmative action practices and B) neither of those two things was the reason we targeted them," the group told The Verge via Signal. Penn says it notified the FBI after the hacker group claimed to have stolen 1.2 million donor records and sent the disparaging email. The hackers, who have remained anonymous, claimed to have exfiltrated data about Biden and his family members, The Verge reported. Biden's granddaughter attended Penn and the university houses the Biden Center, his think tank. The data breach also reportedly included internal university talking points about Magill's congressional testimony on antisemitism on campus. She resigned as Penn president after she failed to emphatically say during her testimony in late 2023 that "calling for the genocide of Jews" would violate the university's code of conduct and prompt punishment. Magill said it would be "context-dependent." On Sunday, the cybersecurity website BleepingComputer reported that the hackers claimed to have gained access to multiple university systems to steal personal information from students, alumni and donors. The hackers said the data included names, birth dates, addresses, phone numbers, demographic information and donor details like estimated net worth and donation history. On Monday, Penn said it was investigating a data breach of select information systems. "We understand and share our community's concerns and have reported this to the FBI," a Penn spokesperson said. "We are working with law enforcement as well as other third party technical resources to address this as rapidly as possible." The email, which appeared to come from Penn's Graduate School of Education, called the university "elitist" and instructed recipients not to donate the school. It used derogatory language and said Penn had "terrible security practices" and is "unmeritocratic" in its admissions. Many people reported receiving the email several times. Penn issued a statement Friday that said the email was a fraud and was not reflective of the university's values. The hackers claimed to have gained access to an employee's account for PennKey, the school's online portal, and used it to find Penn's analytics platform, business intelligence system, SharePoint files and Salesforce data. They claim to have breached Penn's system Thursday and completed their data downloads by Friday, when they lost access to the account. After realizing they still had access to a marketing tool through Salesforce, the group says it sent the email to 700,000 people. "Once (the data) was already exfiltrated, we sent that email out just as a fun rant since our session was still valid in Salesforce marketing cloud; it wasn't our end goal," the hackers told The Verge. The hackers told BleepingComputer that they intended to just find the donor information. They said they have no plans to extort Penn, because they can "extract plenty of value out of the data ourselves." "While we're not really politically motivated, we have no love for these nepobaby-serving institutions," the hackers said. "The main goal was their vast, wonderfully wealthy donor database." The email, which some people with no affiliation to the school said they received, took issue with Penn's admission practices. It criticized the university's use of affirmative action, which allows race to be considered in admissions. The U.S. Supreme Court invalidated the use of the policy in 2023 despite outcries from diversity advocates. The email also claimed Penn violated the federal Family Educational Rights and Privacy Act, which governs student records.
