Following a series of mass emails alleging Penn had been hacked, individuals claiming responsibility for the security breach released thousands of pages of internal University files on Nov. 1.
The documents — which were released by the alleged hacker on LeakForum and reviewed by The Daily Pennsylvanian — include internal University talking points, memos about donors and their families, receipts of bank transactions, and personal identifying information. In a message accompanying the data, the group claimed that it gained “full access” to a University employee’s PennKey account and export data on “1.2 million University of Pennsylvania students, alumni, and donors” from University databases.
A University spokesperson declined to comment on the released documents.
The group also wrote on LeakForum that the data would be “kept private for our own use for a short period of time, but it will be released publicly within the next 1-2 months after our group has used it.” An alleged hacker later told The Verge that they plan to sell some of the data before publicizing it.
The alleged hacker also told The Verge that the motivation behind their actions was to secure the data of ultra-high-net-worth individuals — adding that their selection of Penn as a target was informed by the University’s “fairly weak authentication system.”
“We think Penn is tipping the scales in favor of legacies and donors is equally if not more egregious than its affirmative action practices,” the hacker told The Verge.
On Oct. 31, mass spam emails were sent from multiple University-affiliated email addresses to the Penn community and contained criticisms of the University’s security practices and institutional purpose.
“That email was certainly not the most eloquent communication ever written, and we’d have loved to go into more detail about the university’s hatred of merit and love of nepobabies and unqualified DEI picks, but time was extremely limited,” the LeakForum message stated.
RELATED:
Penn reports GSE hack, ‘breach of data’ to FBI
Hacker claiming responsibility for scam Penn emails stole data from 1.2 million people, report says
In the messages — which were sent “just as a fun rant” after donor data was already secured, according to The Verge — the hacker appeared to threaten to release user data, writing that “all your data will be leaked.”
The message additionally emphasized that media outlets had mischaracterized the nature of the data breach as “merely a compromise of the university’s email marketing system.”
“We want to debunk the claim that it was only an email marketing compromise by publishing an ‘appetizer’ of some data exported from the university’s SharePoint and Box,” the message said. “More will be published later.”
Documents included in the data dump detailed donations from individual members of the Graduate School of Education Board of Advisors to Penn. In multiple instances, the documents list whether children of donors or board members planned to apply to Penn.
The Oct. 31 emails from the hackers alleged that the University “love[s] legacies, donors, and unqualified affirmative action admits.”
The released data also included thousands of spreadsheets containing records of wire and ACH transactions of donations made by individuals and corporations to GSE. Other documents show contributors’ addresses, phone numbers, and demographic data.
Several files also referenced Penn schools and departments beyond GSE.
The published documents included confidential talking points — which appear to have been circulated to Penn communications staffers — in response to several controversies that have affected the University in recent years.
In a memo regarding former Penn President Liz Magill’s congressional hearing, the document tells faculty that it was “truthful to say that it is context-specific whether hateful speech legally constitutes bullying or harassment.”
“When testifying in front of congress, Liz Magill and her peers from Harvard and MIT were under oath,” the document read. “When under oath, answers must be completely truthful.”
The testimony served as a key turning point in the national scrutiny of Penn’s response to allegations of campus antisemitism in the months after Hamas’ Oct. 7, 2023 attacks on Israel. Following widespread backlash and a high-profile donor campaign, Magill resigned in December 2023.
A 2023 document containing talking points about former President and Benjamin Franklin Professor of Presidential Practice Joe Biden’s relationship with the University stated that he “was in fact phenomenally successful” during his time at Penn.
“Penn is pleased with the role that President Biden played at the University and for his commitment to interact and engage with so many members of the Penn community,” the document read.
The hacker claims to have acquired the data of Biden and his family, according to The Verge.
Additional memos in the data dump advised Penn employees on how to discuss the Palestine Writes Literature Festival, comments made by University of Pennsylvania Carey Law School professor Amy Wax, and the federal government’s endowment tax.
In an email to the GSE community on Friday, a spokesperson for the school described the emails as “highly offensive,” adding that they “are in no way reflective of Penn or Penn GSE’s mission or actions.”
“Please know that we are actively and quickly investigating and taking immediate steps to stop these emails from being sent,” the spokesperson wrote. “Our IT team at Penn GSE and the University’s IT team and Crisis Response Teams are working as quickly as they can.”
On Monday, Penn announced that it had reported the breach to the FBI and was working with other law enforcement agencies to investigate “the breach of data of select information systems.”
The FBI declined to comment, citing the ongoing federal government shutdown.
Multiple higher education institutions have been the victims of cyberattacks in recent years. This summer, a hacker at Columbia University accessed personal identifying information — including Social Security numbers and birthdays — of more than 1.8 million applicants, students, and staff.
Have more information about the Penn cybersecurity hack? Submit a confidential tip using this form or reach our reporting team via Signal at jasni.75 or ethanyoung.22.
RELATED:
Penn reports GSE hack, ‘breach of data’ to FBI
Hacker claiming responsibility for scam Penn emails stole data from 1.2 million people, report says
Ethan Young is the Editor-in-Chief of The Daily Pennsylvanian and can be reached at young@thedp.com. At Penn, he studies history and political science. Follow him on X @EthanYoung.
