A Penn alumnus filed a class-action lawsuit against the University on Monday, alleging that Penn was negligent and failed to protect personally identifiable information from being obtained by hackers in last week’s security breach.
The Nov. 3 suit — filed by 2014 College graduate Christopher Kelly in the United States District Court for the Eastern District of Pennsylvania on behalf of all other “similarly situated individuals” — comes after mass spam emails were sent from Penn-affiliated email addresses on Oct. 31 alleging that the University had been hacked. In the complaint, Kelly alleged that as a “result of UPenn’s negligence and insufficient data security, cybercriminals easily infiltrated Defendant’s inadequately protected email accounts” and accessed personally identifiable information.
Requests for comment were left with a University spokesperson, Kelly, and the plaintiff’s lawyers.
The filing claimed that Penn was negligent in several areas, including failing to “maintain an adequate data security system to reduce the risk of data breaches and cyber-attacks,” “properly monitor its own data security systems for existing,” and “ensure that its vendors with access to its computer systems and data employed reasonable security procedures.”
According to the complaint, the University’s failure to protect this information violates Section 5 of the Federal Trade Commission Act, which prevents “unfair or deceptive acts or practices in or affecting commerce.”
The lawsuit alleged that Penn “deliberately” chose not to implement “adequate data security prior to the Breach.” It further claimed that the individuals who obtained the data would “undoubtedly use their PII for nefarious purposes for the rest of their lives.”
By obtaining this information, the University has assumed “legal and equitable duties to Plaintiff and the Class to protect and safeguard their Private Information from unauthorized access and intrusion,” the plaintiff argued.
On Monday, a Penn spokesperson told The Daily Pennsylvanian that the University reported the cybersecurity attack to the Federal Bureau of Investigation.
RELATED:
Alleged Penn hackers release donor records, confidential University memos following data breach
“We understand and share our community’s concerns and have reported this to the FBI. We are working with law enforcement as well as other third-party technical resources to address this as rapidly as possible,” the spokesperson added.
The DP previously reported that the individuals claiming responsibility for the security breach released thousands of documents in a data dump — including internal University talking points, memos about donors and their families, bank transaction receipts, and personally identifiable information.
An alleged hacker later told The Verge that the motivation behind their actions was to secure the data of ultra-high-net-worth individuals — adding that their selection of Penn as a target was informed by the University’s “fairly weak authentication system.”
