Cybercrime group ShinyHunters appears to have taken responsibility for the October 2025 data breach at Penn’s Graduate School of Education — releasing thousands of pages of additional internal University files on Wednesday.
In a Feb. 4 post on the group’s forum, ShinyHunters wrote that it leaked the data because Penn “did not pay a ransom or cooperate and comply.” The post — which came days after a court filing claimed the Oct. 31, 2025 incident “impacted less than 10 people” — alleged the data breach affected 1.2 million records.
“This is the direct result of advisors advising you against paying a ransom,” the alleged hackers wrote in a document they released. “It has the opposite affect. Do NOT provoke us again and pay the ransom when we contact you.”
The files include private documents that were not released in the initial breach, such as University donor records, internal talking points, and a November 2023 progress report from the University Antisemitism Action Plan.
“We are analyzing the data and will notify any individuals if required by applicable privacy regulations,” a University spokesperson wrote to The Daily Pennsylvanian.
The leak also appears to contain personal information of several high-profile individuals — including 1968 Wharton graduate and President Donald Trump and members of his family.
Multiple members of the Trump family were internally labeled by Penn as “Confirmed Ultra High Net Worth” individuals.
A request for comment was left with a White House spokesperson.
Since the breach, 18 Penn graduates filed class-action lawsuits against the University. The individual filings were later consolidated by a district judge.
The complaints alleged that Penn acted negligently in its cybersecurity measures and failed to accurately represent the scope of the breach. Over the past few weeks, seven of the original filings have been withdrawn.
According to the most recent court filing, “UPenn confirmed that the breach population” for the incident “impacted less than 10 people.”
A University spokesperson previously told the DP that Penn completed a “comprehensive review” of the cybersecurity incident and notified affected individuals.
The cybercrime group previously wrote that the data would be “kept private for our own use for a short period of time, but it will be released publicly within the next 1-2 months after our group has used it.” The alleged hacker later told The Verge that the group planned to sell the data before releasing it to the public.
Senior reporter Anvi Sehgal leads coverage of the University's administration and can be reached at sehgal@thedp.com. At Penn, she studies philosophy, politics, and economics. Follow her on X @anvi_sehgal.
