A class action lawsuit against Penn over an October 2025 data breach at the Graduate School of Education will not proceed after a new court filing revealed on Monday that fewer than 10 people were affected by the incident.
According to Feb. 2 filing, none of the individuals affected by the data breach were plaintiffs in the lawsuit. In recent weeks, seven of the 18 Penn graduates originally consolidated in the case have withdrawn their claims.
"Following conferrals with UPenn’s counsel ahead of the initial January 19 leadership application deadline, UPenn confirmed that the breach population for the first UPenn data breach—which is the central focus of this particular litigation—impacted less than 10 people," the document continued.
The update follows a series of mass emails sent in October 2025 to individuals across the University from accounts linked to GSE. According to BleepingComputer — which specializes in coverage of technology and cybersecurity topics — the impacted data included donation history to Penn, estimated donor net worth, and demographic details such as names and race.
On Nov. 1, 2025, individuals claiming responsibility for the hack released thousands of pages of internal files, including private talking points, memos about donors and their families, receipts of bank transactions, and personal identifying information.
In the wake of the breach, the University faced several lawsuits, which were eventually consolidated under the name of the first plaintiff, 2014 College graduate Christopher Kelly.
A University spokesperson previously wrote to The Daily Pennsylvanian that administrators conducted a “comprehensive review” of the data and notified individuals whose information had been compromised. It recently announced that the process is complete.
“That review is now complete,” the spokesperson added. “Penn sent notifications to the limited number of individuals whose personal information was impacted as required by applicable notification laws.”
RELATED:
Penn investigating business software data breach affecting personal records
Alleged Penn hackers release donor records, confidential University memos following data breach
Penn's FAQ webpage with information about the hack now displays a 404 error.
The Feb. 2 filing also advocated the consolidation of legal action regarding a separate security breach that compromised Penn’s Oracle E-Business Suite servers.
The brief argued in favor of consolidating the complaints with a larger class action suit in Texas over the same breach.
“Allowing the Oracle-related UPenn litigation to proceed in this District under separate leadership could undermine the efforts of Oracle lead counsel in Texas in several ways that could be detrimental to the class,” the filing continued.
The Oracle breach — first identified in November 2025 — impacted over 100 other organizations, including Harvard University and Dartmouth College.
RELATED:
Penn investigating business software data breach affecting personal records
Alleged Penn hackers release donor records, confidential University memos following data breach
Staff reporter Lavanya Mani covers legal affairs and can be reached at mani@thedp.com. At Penn, she studies English. Follow her on X @lavanyamani_.
