Penn Data Breach: 1.2 Million Donor Records Stolen by Hacker
▼ Summary
– A hacker claimed responsibility for breaching University of Pennsylvania systems, accessing data on 1.2 million donors, students, and alumni, and sending offensive mass emails.
– The attacker gained access through an employee’s PennKey SSO account, allowing them to infiltrate multiple university systems including VPN, Salesforce, and SharePoint.
– Stolen data includes personal details like names, addresses, donation history, and sensitive demographic information such as race, religion, and sexual orientation.
– The hacker stated the primary motivation was to obtain Penn’s wealthy donor database for their own use, not for extortion or political reasons.
– The University of Pennsylvania is investigating the incident with the FBI and third-party resources, while advising donors to be vigilant against phishing and fraud attempts.
A significant data breach at the University of Pennsylvania has exposed the personal information of approximately 1.2 million donors, students, and alumni, following a cyberattack that compromised multiple university systems. The incident, which the university initially downplayed as “fraudulent emails,” is now under investigation by the FBI after the hackers provided evidence of their extensive access.
Last week, members of the Penn community began receiving offensive emails from official university addresses. These messages, sent through the connect.upenn.edu mailing platform, contained derogatory statements about the institution and claimed that sensitive data had been stolen. While Penn described these communications as “obviously fake,” the threat actor behind the attack contacted media outlets to provide details of a much broader security compromise.
The hackers explained they gained full access to an employee’s PennKey SSO account, which served as their entry point into university networks. This access allowed them to penetrate Penn’s VPN, Salesforce databases, Qlik analytics, SAP business intelligence systems, and SharePoint files. From these systems, they extracted extensive donor records containing names, birth dates, physical addresses, phone numbers, estimated net worth, donation histories, and sensitive demographic information including religious affiliation, race, and sexual orientation.
According to the attackers, the breach occurred between October 30th and 31st, during which time they successfully downloaded substantial amounts of data. When the university eventually revoked their access to the primary systems, the hackers still maintained control over the Salesforce Marketing Cloud platform, which they used to send mass emails to approximately 700,000 recipients.
The threat actor declined to specify how they obtained the employee credentials, stating only that the intrusion resulted from security deficiencies at the university. They subsequently published a 1.7-gigabyte archive containing spreadsheets, donation materials, and various documents allegedly taken from Penn’s SharePoint and Box systems.
When questioned about their motives, the hackers clarified that their primary objective was financial rather than political. “The main goal was their vast, wonderfully wealthy donor database,” they stated, while expressing general disdain for elite institutions. They confirmed they are not attempting to extort the university, believing Penn would not pay, and instead plan to “extract plenty of value out of the data ourselves.”
Although the complete donor database has not yet been publicly released, the attackers indicated they might publish it within the next month or two. In response to these developments, Penn has engaged both law enforcement and third-party technical experts to address the security incident.
Individuals affiliated with Penn should remain vigilant against targeted phishing attempts that may leverage the stolen information. Attackers could use the compromised data to impersonate university officials, solicit fraudulent donations, or attempt to gain access to personal accounts. Anyone receiving unexpected communications regarding donations should verify their authenticity directly with the university before responding or taking any action.
(Source: Bleeping Computer)
