Penn has reported last week’s mass cybersecurity breach to the Federal Bureau of Investigation following reports that the hack compromised data for millions of individuals.
The breach resulted in mass scam emails sent on Oct. 31 from multiple University-affiliated email addresses that were addressed to the Penn community and contained criticisms of the University’s security practices and institutional purpose. A University spokesperson wrote to The Daily Pennsylvanian that the matter has been referred to law enforcement and the FBI as Penn investigates a “breach of data of select information systems.”
In the initial emails, the hacker appeared to threaten to release user data, writing that “all your data will be leaked.”
“We understand and share our community’s concerns and have reported this to the FBI. We are working with law enforcement as well as other third-party technical resources to address this as rapidly as possible,” the spokesperson added.
A request for comment was left with the FBI.
In an email to the Penn Graduate School of Education community on Friday, a spokesperson for the school described the emails as “highly offensive,” adding that they “are in no way reflective of Penn or Penn GSE’s mission or actions.”
“Please know that we are actively and quickly investigating and taking immediate steps to stop these emails from being sent,” the spokesperson wrote. “Our IT team at Penn GSE and the University’s IT team and Crisis Response Teams are working as quickly as they can.”
According to BleepingComputer, the hacker claiming responsibility for the breach alleged that they stole data from 1.2 million students, alumni, and donors.
RELATED:
Penn investigating mass emails sent from University accounts in apparent security breach
Hacker claiming responsibility for scam Penn emails stole data from 1.2 million people, report says
The affected data includes donation history to Penn, estimated donor net worth, and demographic details such as names and race, according to the outlet.
The attackers told BleepingComputer they breached Penn’s systems on Oct. 30 and completed data downloads by Oct. 31. According to the reports, after they lost access to the compromised employee account, the hacker realized that they still had access to Salesforce Marketing Cloud and used it to send the mass email to “roughly 700,000 recipients.”
