The University of Pennsylvania confirmed on Tuesday that a hacker stole university data as part of last week’s data breach, during which alumni and other affiliates received suspicious emails from official university email addresses.
“We got hacked,” the message from the hackers read. “We love breaking federal laws like FERPA (all your data will be leaked),” the message added. “Please stop giving us money.”
While Penn initially told TechCrunch that the email was “fraudulent,” the university has now confirmed the hacker’s claim that data was taken during the breach.
“On October 31, Penn discovered that a select group of information systems related to Penn’s development and alumni activities had been compromised,” the university wrote in a statement, which was emailed to alumni and shared online. “Penn’s staff rapidly locked down the systems and prevented further unauthorized access; however, not before an offensive and fraudulent email was sent to our community and information was taken by the attacker.”
(Disclosure: As an alumna and former employee of the university, the hackers sent the message to my personal email three times, each coming from different official @upenn.edu email addresses, including one from a senior Penn staff member.)
The university said that the breach occurred due to a social engineering attack, a hacking technique in which individuals are tricked into handing over sensitive information like log-in credentials, perhaps through phishing or a phone call.
A Penn employee, who we are not naming, as they were not authorized to speak to the press, told TechCrunch that the university requires students, staff, and alumni to use multi-factor authentication (MFA) on their accounts as a security measure; however, the employee said that some high-ranking officials were granted exemptions to MFA requirements.
TechCrunch asked Penn about these alleged MFA exceptions, and if the university could provide a percentage of MFA adoption among staff. Penn spokesperson Ron Ozio declined to comment to TechCrunch beyond Penn’s official data incident page.
As required by law, Penn said it will contact individuals whose personal information was accessed by hackers. The university has not said when these notifications will occur, how many people are affected, or what information was accessed.
The Daily Pennsylvanian reports that the alleged Penn hacker claimed to have taken documents relating to university donors, bank transaction receipts, and personally identifiable information. The hacker said they were financially motivated.
Earlier this year, hackers breached Columbia University, accessing sensitive information about around 870,000 students and applicants, including their Social Security numbers and citizenship status.
Both the Penn and Columbia hacks appear motivated by discontent with affirmative action policies. In the email that the Penn hacker sent to the university community, the hacker wrote, “We hire and admit morons because we love legacies, donors, and unqualified affirmative action admits.” Meanwhile, the Columbia hacker told Bloomberg that they sought to access data from the university to investigate its affirmative action practices.
If you have more information about the Penn hack, you can contact Amanda Silberling securely on Signal at @amanda.100, or by email, from a non-work device.
