Penn has faced a wave of class action lawsuits alleging it did not take sufficient steps to protect confidential data following last week’s security breach of “select information systems.”
As of publication, The Daily Pennsylvanian identified four separate lawsuits filed by Penn graduates that allege the University was negligent in implementing adequate cyber security measures. The lead plaintiffs are 2014 College graduate Christopher Kelly, 2018 University of Pennsylvania Carey Law School graduate Mary Sikora, 2014 College graduate Christian Bersani, and 2022 Graduate School of Education graduate Kelli Mackey. Three of the lawsuits were filed on Tuesday following Kelly’s filing Monday evening.
Requests for comment were left with Kelly and Bersani. Mackey and Sikora could not be reached for comment by the time of publication.
The text used in three of the lawsuits is identical, with Kelly first submitting the filing on Nov. 3, followed by Sikora and Bersani on Nov. 4. The filing claimed that Penn was negligent in several areas, including failing to “maintain an adequate data security system to reduce the risk of data breaches and cyber-attacks,” “properly monitor its own data security systems for existing intrusions,” and “ensure that its vendors with access to its computer systems and data employed reasonable security procedures.”
A fourth lawsuit — filed by Mackey — lodged similar complaints against the University, alleging that Penn failed “to protect the sensitive information of its students, alumni, and donors.” The lawsuit alleged that when the plaintiff was a student at GSE, she was “required” to share her “Personally Identifiable Information” with the University and chose to remain on Penn’s email list “to keep updated on alumni events, university news, and to receive other miscellaneous announcements.”
On Nov. 2, BleepingComputer reported that a hacker claiming responsibility for the data breach alleged that they stole data from 1.2 million students, alumni, and donors.
Mackey’s lawsuit alleged that the data breach “appears to be much broader and more damaging than Defendant is currently recognizing.”
“The full extent of the repercussions of the Data Breach have not yet been discovered, and the consequences as such will likely continue to arise as time goes on,” the lawsuit stated.
RELATED:
Alleged Penn hackers release donor records, confidential University memos following data breach
Penn says data breach is ‘contained’ as extent of stolen data remains unclear
Penn addressed the data breach in a message to the community on Tuesday, stating that it has been “contained.”
In the email, Joshua Beeman — Penn’s interim vice president of information technology and interim chief information officer — wrote that the University is still investigating the “nature of the information” that was obtained in the breach.
The statement also referred community members to a webpage titled “Cybersecurity incident information and FAQ” that contains more information about the University’s response to the breach.
Have more information about the Penn cybersecurity hack? Submit a confidential tip using this form or reach our reporting team via Signal at jasni.75 or ethanyoung.22.
