Penn institutes mandatory information security training for all employees following data breach

Following last month’s cybersecurity breach, Penn implemented a new mandatory information security training for all faculty and staff on Thursday.

The training, titled “Information Security at Penn: A Practical Guide,” consists of three short modules and brief assessments accessible through Workday Learning, according to the Nov. 20 email. Provost John Jackson Jr., Executive Vice President Mark Dingfield, and Interim Vice President of Information Technology and Interim University Chief Information Officer Josh Beeman signed the message, which said that the training must be completed by Dec. 31.

During the breach, hackers accessed systems containing thousands of pages of internal University files — which includes data about donors, alumni, and students.

“This training will equip Penn employees with practical skills to recognize and prevent cybersecurity threats,” Beeman wrote to The Daily Pennsylvanian. 

Requests for comment were left with Jackson and Dingfield.

All Penn faculty and staff — including student workers and postdoctoral students — will be required to complete the training.

“On October 31, 2025, systems supporting Penn’s development and alumni activities were accessed using stolen credentials obtained through a sophisticated form of identity impersonation known as social engineering,” the email said. “It is essential that our community remains vigilant and prepared to recognize and report these types of attacks—especially suspicious phone calls or emails that may be phishing attempts.”

The email emphasized that cyber threats pose a “serious and persistent risk.”

“Criminals are increasingly targeting individuals, and some members of our Penn community have experienced account compromises,” the email added.

The modules should each take approximately five minutes to complete asynchronously — and employees who completed the course on or since Sept. 25 are not required to retake it. 

The email warned that failure to complete the training by the deadline “may result in loss of access to University systems.”

The breach has resulted in multiple class-action lawsuits against the University. On Nov. 17, plaintiffs petitioned a district court to combine more than a dozen suits filed in the two weeks since the breach. 

The plaintiffs claimed that Penn did not sufficiently protect sensitive personal information and did not notify those affected in a timely manner.

Following the breach, Penn’s webpage advised preventative measures that community members can take to protect their data — such as monitoring credit reports, placing fraud alerts on their credit cards, and staying vigilant of personal information requests.

“Ensuring the security and integrity of the University's systems and information is critical to Penn’s mission,” the Nov. 20 email read. 

---