Penn addressed the Oct. 31 mass data breach, stating that it had been “contained” in a message to the University community on Tuesday.
In the Nov. 4 email, Joshua Beeman — Penn’s interim vice president of information technology and interim chief information officer — wrote that the University is still investigating the “nature of the information” that was obtained in the breach. The statement also referred community members to a webpage titled “Cybersecurity incident information and FAQ” that contains more information about the University’s response to the breach.
Beeman emphasized that all systems are currently operational and Penn’s information security teams have been working “around the clock” to address the incident.
The hackers sent out a series of mass emails on Oct. 31 containing criticisms of Penn’s security practices and institutional purpose from University-affiliated addresses.
On Nov. 1, the alleged hackers released thousands of pages’ worth of data, including internal University talking points, memos about donors and their families, receipts of bank transactions, and personal identifying information.
“Penn employs a robust information security program; however, access to these systems occurred due to a sophisticated identity impersonation commonly known as social engineering,” Beeman wrote. “Penn’s staff rapidly locked down the systems and prevented further unauthorized access; however, not before an offensive and fraudulent email was sent to our community and information was taken by the attacker.”
CrowdStrike — a third-party cybersecurity firm Penn has retained — defines social engineering as an “umbrella term that describes cyberattacks using psychological tactics to manipulate people into taking a desired action.”
The University previously announced that it had reported the breach to the Federal Bureau of Investigation.
RELATED:
Penn alum files class-action suit alleging University ‘negligence’ led to cybersecurity breach
Alleged Penn hackers release donor records, confidential University memos following data breach
The FAQ site linked in the email confirmed that systems accessed by the hackers include Penn’s Customer Relationship Management system in Salesforce, file repositories in SharePoint and Box, a reporting application titled Qlikview, and Marketing Cloud.
The page specified that Penn’s “development and alumni activities” were accessed with the stolen credentials, but the University has “no indication” that Penn Medicine electronic medical records were affected.
In response to the incident, Penn will implement increased monitoring, additional security measures, and new mandatory training, according to the FAQ page. Once the University finishes analyzing “the exact nature of what was taken,” Penn plans to notify individuals with impacted personal information “if and when appropriate.”
“We encourage our entire community - inside and outside of Penn - to be wary of suspicious calls or emails that could be phishing attempts, particularly those that may be soliciting fraudulent donations, asking for your system credentials, or suggesting you change credentials or passwords,” Beeman concluded in the email.
This summer, a hacker at Columbia University accessed personal identifying information — including Social Security numbers and birthdays — of more than 1.8 million applicants, students, and staff. CrowdStrike also advised Columbia following their breach.
Have more information about the Penn cybersecurity hack? Submit a confidential tip using this form or reach our reporting team via Signal at jasni.75 or ethanyoung.22.
