A notorious hacking group has claimed responsibility for last year’s data breaches at Harvard University and the University of Pennsylvania and has now published the data they claim to have stolen from the two schools. On Wednesday, the group known as ShinyHunters published what it claims are more than one million records from each university on the group’s dedicated leak site, which the gang uses to extort its victims.
In November, the University of Pennsylvania confirmed a data breach of a select group of information systems related to the school’s development and alumni activities. At the time, the hackers also sent alumni emails announcing the hack from official university addresses. The university blamed the breach on social engineering, an attack that often relies on hackers impersonating someone to trick them into an action. In its official breach disclosure, which has since been taken offline, UPenn did not specify exactly what data was stolen, only stating the cybercriminals accessed systems related to development and alumni activities.
TechCrunch verified a portion of the data set by confirming details with alumni and public records, such as matching student ID numbers.
Later in November, Harvard University also confirmed a breach on its alumni systems, blaming it on a voice phishing attack. This type of attack involves hackers tricking targets via a voice call into clicking a link or opening an attachment. Harvard stated that the stolen data included email addresses, phone numbers, home and business addresses, event attendance, donation details, and other biographical information related to fundraising and alumni engagement.
The data published by ShinyHunters, which TechCrunch has seen, appears to match the type of information that both universities said was stolen last year. The hackers said they published the stolen data because the universities refused to pay a ransom to prevent its release. Cybercriminals like ShinyHunters often attempt to extort victims by demanding payment in exchange for not publishing stolen data, and release it online if the payment is refused.
During the UPenn breach, the hackers made it seem they had political motives, expressing discontent with affirmative action policies in an email sent to alumni. ShinyHunters is not typically known for political motives. The hackers did not respond to a question asking why they included that language in the email.
A Penn spokesperson stated that the university is analyzing the data and will notify any individuals if required by applicable privacy regulations. Harvard did not respond to a request for comment.