University of Pennsylvania Confirms Data Breach Following Social Engineering Attack

The University of Pennsylvania has confirmed that cyber criminals used social engineering tactics to infiltrate its internal network, and stole confidential information belonging to staff and alumni.

 

Last week, the University of Pennsylvania launched an investigation into a major cyberattack after a threat actor gained access to a university employee’s PennKey SSO account. This unauthorized access enabled the attacker to infiltrate several internal systems, including the VPN, Salesforce, Qlik analytics, SAP, and SharePoint platforms.

 

The attacker stole sensitive data on roughly 1.2 million students, alumni, and donors—including names, contact details, birth dates, donation records, and demographic details. They also used the university’s Salesforce Marketing Cloud to send offensive emails to about 700,000 recipients and later leaked a 1.7 GB archive of files allegedly taken from SharePoint and Box.

 

In response, Penn University said it is working with law enforcement, including the FBI, to address the incident.

 

In a recent update, the university said that on October 31, it detected a network breach impacting “information systems related to Penn’s development and alumni activities.”

 

“On October 31, Penn discovered that a select group of information systems related to Penn’s development and alumni activities had been compromised. Penn employs a robust information security program; however, access to these systems occurred due to a sophisticated identity impersonation commonly known as social engineering.

 

“Penn’s staff rapidly locked down the systems and prevented further unauthorised access; however, not before an offensive and fraudulent email was sent to our community and information was taken by the attacker. Penn is still investigating the nature of the information that was obtained during this time,” the university said.

 

However, Penn has confirmed that it has restored the affected systems and successfully cut off the unauthorised access established by the threat actors.

 

Penn stated that it is aware of media reports stating that 1.2 million records were stolen. However, the university noted that its investigation remains ongoing to determine the exact scope and nature of the compromised information and, as such, it cannot confirm those figures at this time.