The University of Pennsylvania confirmed on Tuesday that a hacker stole university data as part of a data breach that occurred last week. During the breach, alumni and other affiliates received suspicious emails from official university email addresses.
One message from the hackers read, “We got hacked.” The message added, “We love breaking federal laws like FERPA (all your data will be leaked). Please stop giving us money.” While Penn initially described the email as fraudulent, the university has now confirmed the hacker’s claim that data was taken.
In a statement emailed to alumni and shared online, the university wrote that on October 31, Penn discovered a select group of information systems related to development and alumni activities had been compromised. The statement said Penn’s staff rapidly locked down the systems and prevented further unauthorized access, but not before an offensive and fraudulent email was sent and information was taken by the attacker.
As an example, one alumna and former employee reported receiving the hacker’s message three times at her personal email address, with each message coming from different official university email addresses, including one from a senior staff member.
The university stated the breach resulted from a social engineering attack. This is a hacking technique where individuals are tricked into handing over sensitive information like log-in credentials.
A Penn employee, who was not authorized to speak to the press, told reporters that the university requires students, staff, and alumni to use multi-factor authentication on their accounts as a security measure. However, the employee said some high-ranking officials were granted exemptions from these multi-factor authentication requirements. When asked about these alleged exceptions, a Penn spokesperson declined to comment beyond the university’s official data incident page.
As required by law, Penn said it will contact individuals whose personal information was accessed by the hackers. The university has not said when these notifications will occur, how many people are affected, or what specific information was accessed.
Other reports indicate the alleged Penn hacker claimed to have taken documents relating to university donors, bank transaction receipts, and personally identifiable information. The hacker stated they were financially motivated.
This incident follows a similar breach earlier this year at Columbia University, where hackers accessed sensitive information about approximately 870,000 students and applicants, including Social Security numbers and citizenship status.
Both the Penn and Columbia hacks appear to be motivated by discontent with affirmative action policies. The email from the Penn hacker criticized the university’s hiring and admissions practices. Meanwhile, the Columbia hacker told reporters they sought data to investigate that university’s affirmative action practices.