Penn resolved its investigation into an October 2025 cybersecurity breach — which reportedly compromised the data of over 1.2 million University students, alumni, and donors — last month.
According to a University spokesperson, Penn completed a “comprehensive review” of the Oct. 31 incident and notified affected individuals. The University's webpage about the data breach — which previously offered community guidance — now displays a 404 error.
“Penn conducted a comprehensive review of the downloaded files to determine whose information may have been involved. That review is now complete,” the University spokesperson wrote. “Penn sent notifications to the limited number of individuals whose personal information was impacted as required by applicable notification laws.”
“These notifications provided resources for individuals who have any questions or concerns,” the spokesperson added.
Penn’s webpage previously claimed that the amount of data obtained by the hackers was “mischaracterized” by reports at the time. While the webpage advised community members to take steps to protect their personal information, it emphasized the lack of evidence that the leaked data had been used for fraudulent purposes.
Since the breach, 18 Penn graduates filed class-action lawsuits against the University. The individual filings were later consolidated by a district judge.
The complaints alleged that Penn acted negligently in its cybersecurity measures and argued the breach was more damaging than the University recognized. Over the past few weeks, 7 of the original filings have been withdrawn.
A University spokesperson declined to comment on the "ongoing litigation" in response to a request for comment.
RELATED:
Penn investigating business software data breach affecting personal records
Penn institutes mandatory information security training for all employees following data breach
The breach first became apparent after a series of mass emails were sent to the Penn community from several University-affiliated addresses. Two days later, the alleged hackers told BleepingComputer — a cybersecurity news outlet — that they had breached Penn’s systems and downloaded data containing Penn donor history, estimated donor net worth, and demographic information.
On Nov. 1, the hackers released thousands of private University files to an online forum, including internal talking points and personal identifying information about University donors and their families.
RELATED:
Penn investigating business software data breach affecting personal records
Penn institutes mandatory information security training for all employees following data breach
Senior reporter Aidan Shaughnessy contributes to data and enterprise reporting and can be reached at shaughnessy@thedp.com. At Penn, he studies philosophy, politics, and economics. Follow him on X @aidannsh.
