The private information of approximately 9,000 Penn students was accessed in a privacy breach this past spring semester involving advance class registration lists.
On Monday, the University notified the students affected via email that the incident occurred and that the investigation was ongoing, but a subsequent email sent by Associate Dean and Chief Information Officer of Penn Law Kay McDonnell on Tuesday afternoon to all Law students revealed the number of students affected.
McDonnell wrote that 867 of those students came from Penn Law.
The class lists contained information on class enrollment and included students' name and the last four digits of their social security numbers, according to the email sent out Monday by Chief University Privacy Officer Scott Schafer.
Schafer did not respond to immediate request for comment.
University spokesperson Stephen MacCarthy did not respond to immediate request for comment.
The email indicates that advance class registration lists for this past spring semester were downloaded by an unauthorized user, who accessed the lists through a “course registration application.” That server has since been taken offline.
In the investigation, the University Privacy Office tracked the information to a folder stored in a cloud storage provider which was emailed to an extracurricular group’s Penn listserv, according to the email.
The email indicates that Penn “took steps” to remove the information from the cloud storage provider and requested that the extracurricular group permanently delete the original email and its information. The investigation is ongoing.
The students who reportedly received the email were enrolled in the four undergraduate schools. Some students were taking classes that were not in their home school.
Wharton sophomore Catalina Muñoz, who received the email, said she is confused as to what the real risk level was.
“It’s definitely alarming that strangers have our social security numbers,” Muñoz said. “I’m honestly just super confused.”
Despite no evidence that student personal information was used, the email advised students to “exercise caution” and provided students with information on how to proceed.
"Although we have no evidence at this point of any unauthorized use of your personal information, the University would like to exercise caution and provide you information on steps that you can take to protect yourself against potential misuse of information," Schafer wrote in the email, noting the attached information to the email.
The four steps attached in a document included changing passwords, reviewing statements for bank accounts and credit cards, monitoring credit reports, and placing a fraud alert on credit reports.
Engineering junior Madeline McGovern said her primary worry is the motivation and punishment of the on-campus group accessing information.
“I guess it just makes me think more about data security,” McGovern said. “I’m more concerned about why there are student groups on campus trying to get student information.”
She added that she hopes the University will continue to update students about the process of the investigation and will consider punishing the extracurricular group involved.
This is a developing story that was last updated on Tuesday, March 13 at 5:14 p.m. Check back for updates. If you would like to comment on this story, please contact News Editor Kelly Heinzerling at firstname.lastname@example.org.