University of Pennsylvania Data Breach: Hacker Stole Data

University of Pennsylvania Data Breach Confirmed

The University of Pennsylvania has now acknowledged a data breach occurred last week. This confirmation follows initial reports of suspicious emails sent to alumni and affiliates from legitimate university email accounts.

The hackers themselves proclaimed responsibility, stating, “We got hacked.” Their message further asserted illegal activities, including a threat to release data protected under FERPA regulations, and demanded a cessation of financial contributions.

Initial Response and Subsequent Confirmation

Initially, the university characterized the email as “fraudulent” in a statement to TechCrunch. However, Penn has since verified the hackers’ claim that a data extraction did indeed take place.

According to a statement distributed to alumni and made publicly available, the compromise affected specific information systems linked to development and alumni relations on October 31st. Rapid action by Penn staff secured the systems, preventing further unauthorized access, but not before the malicious email was disseminated and data was stolen.

Details of the Attack

The breach was executed through a social engineering attack. This technique relies on deceiving individuals into revealing confidential information, such as login credentials, often via phishing schemes or deceptive phone calls.

A Penn employee, speaking anonymously due to lack of authorization, revealed that the university mandates multi-factor authentication (MFA) for students, staff, and alumni as a security protocol. However, exceptions to this requirement were reportedly granted to certain high-ranking officials.

When questioned by TechCrunch regarding these alleged MFA exemptions and overall staff adoption rates, Penn spokesperson Ron Ozio declined to provide further comment beyond the university’s official incident page.

Impact and Notification Plans

Penn is legally obligated to notify individuals whose personal information was compromised. The timeline for these notifications, the number of affected individuals, and the specific data accessed remain undisclosed at this time.

Reports from The Daily Pennsylvanian indicate the hacker claims to have obtained documents related to university donors, bank transaction records, and personally identifiable information. The motivation behind the attack appears to be financial gain.

Broader Context: Recent University Hacks

This incident follows a similar breach at Columbia University earlier in the year. That attack resulted in the exposure of sensitive data belonging to approximately 870,000 students and applicants, including Social Security numbers and citizenship details.

Potential Motivations and Ideological Links

Both the Penn and Columbia hacks seem to be connected to objections regarding affirmative action policies. The Penn hacker’s email expressed disdain for legacy admissions, donor influence, and the acceptance of “unqualified affirmative action admits.” Similarly, the Columbia hacker stated their aim was to investigate the university’s affirmative action practices.

Individuals with information regarding the Penn hack are encouraged to contact Amanda Silberling securely via Signal at @amanda.100, or through email using a personal device.