A hacker claiming responsibility for Penn’s Oct. 31 cybersecurity breach alleged that they stole data from 1.2 million students, alumni, and donors, according to new reporting from BleepingComputer.
The report follows a series of mass emails sent on Oct. 31 to individuals across the University from accounts linked to the Graduate School of Education. According to BleepingComputer — which specializes in coverage of technology and cybersecurity topics — the impacted data includes donation history to Penn, estimated donor net worth, and demographic details such as names and race.
The initial messages — sent from multiple University-affiliated email addresses — were addressed to the Penn community and contained criticisms of the University’s security practices and institutional purpose, describing Penn as “completely unmeritocratic.”
The Daily Pennsylvanian could not independently verify the outlet’s claims at the time of publication.
In response to a request for comment, a University spokesperson told the DP that Penn is "continuing to investigate.”
A GSE spokesperson previously described the emails as “highly offensive,” adding that they “are in no way reflective of Penn or Penn GSE’s mission or actions.”
“Please know that we are actively and quickly investigating and taking immediate steps to stop these emails from being sent,” the spokesperson wrote. “Our IT team at Penn GSE and the University’s IT team and Crisis Response Teams are working as quickly as they can.”
The alleged hacker told BleepingComputer that their group gained access to Penn’s VPN, Salesforce data, Qlik analytics platform, SAP business intelligence system, and SharePoint files. To corroborate these claims, they shared “screenshots and data samples” with the publication.
RELATED:
Penn investigating mass emails sent from University accounts in apparent security breach
Penn GSE Dean Katharine Strunk discusses research, training collaboration with Phila. public schools
The purported hacker also told BleepingComputer that the information was not stolen to extort the University.
“We don't think they’d pay, and we can extract plenty of value out of the data ourselves," the hacker told the outlet.
They said the attack wasn’t politically motivated and that the main target was Penn’s “vast, wonderfully wealthy donor database.”
The attackers told BleepingComputer they breached Penn’s systems on Oct. 30 and completed data downloads by Oct. 31. According to the reports, after they lost access to the compromised employee account, the hacker realized that they still had access to Salesforce Marketing Cloud and used it to send the mass email to “roughly 700,000 recipients.”
Though BleepingComputer reported that the database “has not yet been leaked,” the threat actors claimed they “may release it in a month or two.”
