Mask and Wig is the “extracurricular group” whose listserv was connected to the release of the private information of approximately 9,000 Penn students.
Earlier this week, the University notified the students affected via email that their personal information had been accessed and that an investigation was ongoing. The email indicated that an extracurricular group had been sent the downloaded information — which included class enrollment, student names, and the last four digits of their social security numbers.
A subsequent email sent by Associate Dean and Chief Information Officer of Penn Law Kay McDonnell on Tuesday to all Penn Law students revealed the number of students affected, which included 867 Penn Law students.
Chief University Privacy Officer Scott Schafer, who sent the initial email, did not respond to multiple requests for comment.
The private information was sent by a Mask and Wig alumnus to one of the group’s listservs late this February, Mask and Wig Secretary-Treasurer and College senior Ethan Fein said. He added that the listserv is primarily used by alumni and undergraduates to send funny or interesting articles from the Internet.
“It was completely unsolicited and [the alumnus] sent it out without any warning,” Fein said, stressing that the alumnus currently “has no connection to the undergraduate organization of Mask and Wig.”
The individual's motivations to download the personal information and send it to recipients of the listserv were not made clear to the group, besides an accompanying message that said “why not."
Fein said he thought that the alumnus may have been “making fun of the system” by demonstrating his ability to access class enrollments.
After receiving the email with the information from the alumnus, Fein said the group did not reach out to the University to report the individual, but rather removed him from the listserv and told members not to download the information.
“At the time he sent the email, we weren’t aware of the seriousness of the information that the document he sent contained,” Fein said. “He said it was a list of what classes different individuals were taking. We didn’t think that that information by itself necessitated action on our part.”
According to Fein, Penn Information Systems and Computing reached out to Mask and Wig via email after spring break notifying the group there was an ongoing investigation into the incident. Working with ISC, Fein said that the group instructed everyone on the listserv to delete the information that they had received.
Fein estimated that approximately 20 undergraduate Mask and Wig students received the leaked information because they were on the listserv, but said that he was unsure whether any students downloaded the information to their computer before Penn deleted it from the server.
Fein said Mask and Wig was not informed by ISC that they would be notifying all 9,000 students who were affected by the leak. Undergraduate Mask and Wig members who were included in the folder received the email from ISC the same time their peers did.
“We’ve conveyed the seriousness of the issue to all undergrads, and we’ve spoken personally with anyone who we thought downloaded the information,” Fein said. “We believe that the structure of our organization is such that nobody would betray our trust and keep the information.”
He added that the group has not seized any computers to see if the information was downloaded.
Fein could not speak to the identity of the hacker due to ISC instructions, but he believed that no current undergraduate students had a relationship with him.
“The Graduate Board of Mask and Wig is looking into taking further action against the individual in question,” Fein said. “We obviously take the matter extremely seriously.”