Penn says hackers ‘overstated’ amount of data stolen in cybersecurity breach

Penn stated on Friday that the amount of data obtained by hackers in an Oct. 31 cybersecurity breach was “mischaracterized” and “overstate[d].”

The University — released on its “Cybersecurity incident information and FAQ” webpage — addressed statements made by the individuals claiming responsibility for the hack that 1.2 million lines of data from students, alumni, and donors were stolen in the breach. At the time of publication, the updated page stated that the investigation is still ongoing and a “precise number” of records could not be determined.

The webpage also featured three new FAQs. The first confirmed that Penn will “notify any individuals with impacted personal information” once the investigation is complete — a process the page stated will “take time.” 

A separate FAQ addressed community concerns regarding the reports of stolen credit and identities, which the University wrote lacks evidence.

“While our investigation is ongoing, we do not currently have evidence to indicate that information involved in this incident has been used for the purposes of fraud,” the updated page noted. 

After the breach, Penn faced a wave of class action lawsuits — which have grown to over a dozen separate claims since last week — all filed by University graduates alleging that Penn acted negligently in its cyber security measures. The complaints also argue that the breach appears to be more damaging than the University has acknowledged. 

Penn’s webpage advised the community of steps they can take to protect their data, including reviewing credit reports, placing fraud alerts on their credit cards, and remaining vigilant of requests for personal information. 

On Nov. 10, Princeton University experienced a cybersecurity attack on a database that contained information about alumni, donors, students, parents, and some faculty. A Nov. 15 message from the university stated that it has “no factual information indicating” that the incident was connected to the “recent attack” at Penn.

On Oct. 31, a series of mass emails were sent to the Penn community from multiple University-affiliated addresses containing criticism of the University’s security practices and institutional purpose. Two days later, the hackers told BleepingComputer — a news outlet specializing in technology and cybersecurity coverage — that they breached Penn’s systems and downloaded data containing Penn donor history, estimated donor net worth, and demographic information. 

The hackers released thousands of files to an online forum on Nov. 1, including internal University talking points and personally identifying information about donors and their families. The group said that they gained access to the records after logging into a University employee’s PennKey account, according to a forum post reviewed by The Daily Pennsylvanian.

The Verge later reported that the breach was intended to secure the data of ultra-high-net-worth individuals to sell before publicizing.

---