Copyright The Philadelphia Inquirer
The University of Pennsylvania said Tuesday it is confident that a data breach attack in which hackers allege they accessed large volumes of personal donor, student, and alumni information has been “contained” and the school has hired cybersecurity professionals to help investigate. While it’s been reported that hackers allege accessing data on 1.2 million students, donors, and alumni, Penn said it could not confirm that number and is still investigating the material that was accessed. “However, we do know that the stolen credentials were used to access systems related to Penn’s development and alumni activities,” the university said on an information page about the incident posted Tuesday evening. Systems accessed include “Penn’s Customer Relationship Management (CRM) system (Salesforce), file repositories (SharePoint and Box), a reporting application (Qlikview), as well as Marketing Cloud,” the school said. Penn Medicine’s electronic medical records do not appear to have been accessed, the school said. The breach occurred as a result of “a sophisticated identity impersonation commonly known as social engineering,” the university said. That’s when “bad actors deceive individuals into giving up confidential information which compromises security and can be used to access private systems and information.” Penn said it was taking steps to prevent future attacks and would be instituting mandatory training. Penn intends to notify people whose data may have been comprised “if and when appropriate and as required by applicable notification laws,” the school said. The data breach reportedly included thousands of pages of information, in some cases dating back decades, and including internal university memos, bank records, and donor, student, and alumni information. The data released, according to The Daily Pennsylvanian, Penn’s student newspaper, included memos about donors and their families, receipts of bank transactions, and personal information. The DP said it reviewed the documents released by the alleged hacker on LeakForum, and that the group claimed to have accessed data on 1.2 million Penn students, alumni, and donors. The Verge, a technology publication, reported that among the items released is personal information about former President Joe Biden, whose granddaughter had been a student at Penn, and talking points used to prepare former Penn President Liz Magill for her congressional testimony in 2023, according to the New York Times. Magill resigned after a bipartisan backlash to her testimony on the school’s handling of antisemitism complaints. The hacker told the Verge they plan to sell some of the data before releasing it publicly. Some of the data seem to be focused on Penn’s admissions. The hackers alleged that Penn “love[s] legacies, donors, and unqualified affirmative action admits,” according to the Daily Pennsylvanian. » READ MORE: Penn is investigating a ‘fraudulent’ email breach The incident first came to light Friday after some students and alumni received what the school called a “fraudulent” email that crudely criticized the school’s hiring practices and encouraged people to stop giving money. The email was crafted to appear as if it came from Penn’s Graduate School of Education. “We have terrible security practices and are completely unmeritocratic,” the email said. The university said on Friday that information security workers were “actively addressing” the situation and the school reported the breach to the FBI. “We are working with law enforcement as well as other third-party technical resources to address this as rapidly as possible,” the school said. » READ MORE: Penn reports email breach incident to the FBI, and an alum files a lawsuit On Sunday, cybersecurity news website Bleeping Computer reported that a hacker, who remained anonymous, claimed credit for the email and said they had taken data for a large number of people affiliated with the university. A proposed class action lawsuit filed Monday in U.S. Eastern District Court alleges that Penn failed to protect users’ sensitive data and in turn allowed it to fall into “the hands of cybercriminals who will undoubtedly use [the information] for nefarious purposes.” Filed on behalf of Christopher Kelly, a Penn alumnus in Chicago, the lawsuit claims that there are more than 100 potential class members. Penn, the lawsuit alleges, was negligent in enforcing its security policies and failed to quickly notify those impacted, among other claims. A Penn spokesperson has declined to comment on the lawsuit. In Tuesday’s message, Penn warned its community “ to be wary of suspicious calls or emails that could be phishing attempts, particularly those that may be soliciting fraudulent donations, asking for your system credentials, or suggesting you change credentials or passwords. Also be wary of any embedded links in emails that you are not familiar with.”
