The University of Pennsylvania experienced a cyber incident on Oct. 31, in which a series of mass emails were sent to students, parents, faculty and alumni. These emails were sent from accounts associated with the Graduate School of Education and were addressed to the University’s community at large.
The content of the mass emails contained condemnations of the University’s institutional purpose and security practices. A section of an email states, “We hire and admit morons because we love legacies, donors, and unqualified affirmative action admits.”
A spokesperson for the University has stated that these critiques “are in no way reflective of Penn or Penn GSE’s mission or actions.” Furthermore, the spokesperson assured that the University is “actively and quickly investigating and taking immediate steps to stop these emails from being sent.”
While the investigation is still in preliminary stages, the alleged threat actor has contacted BleepingComputer and claimed to have gained complete access to an employee’s PennKey SSO account, which permitted them “access to Penn’s VPN, Salesforce data, Qlik analytics platform, SAP business intelligence system, and SharePoint files.”
According to the threat actor’s claims, they were able to exfiltrate the data of approximately 1.2 million students, alumni, and donors. Compromised information allegedly includes:
- Names
- Dates of birth
- Phone numbers
- Addresses
- Donation history
- Estimated net worth
- Demographic information (such as race, religion or sexual orientation)
An archive totaling 1.7 GB has since been published by the hacker, possessing records apparently taken from the University’s systems.