University of Pennsylvania Investigates Alleged Data Breach Affecting 1.2 Million Records

The University of Pennsylvania is investigating reports that a threat actor used a university email account to send offensive messages to students and alumni and has claimed access to 1.2 million donor records and internal files.

 

Last week, multiple University of Pennsylvania students and alumni reported receiving offensive emails originating from Penn.edu addresses. The messages said that the university had been compromised and that data had been stolen.

 

The emails were sent from connect.upenn.edu, a University of Pennsylvania mailing list service operated through Salesforce Marketing Cloud. The university, however, minimised the situation, referring to the messages as “fraudulent emails” that were “clearly fake.”

 

A threat actor contacted BleepingComputer, claiming responsibility for the intrusion that allegedly extended beyond initial reports. According to the cyber criminal, their group obtained full access to a University of Pennsylvania employee’s PennKey SSO account, which in turn provided entry to several internal systems, including the VPN, Salesforce, Qlik analytics platform, SAP business intelligence system, and SharePoint repositories.

 

The hacker said that they exfiltrated sensitive data belonging to approximately 1.2 million students, alumni, and donors. The stolen information includes names, dates of birth, contact details, estimated net worth, donation records, and demographic attributes.

 

The attackers added that they breached Penn’s systems on October 30 and completed data exfiltration by October 31, when the compromised account was locked. 

 

After losing access, they used Salesforce Marketing Cloud to send an offensive mass email to about 700,000 people. They later released a 1.7 GB archive containing spreadsheets, donation records, and other files reportedly taken from SharePoint and Box.

 

Commenting on the reports of a significant data security incident, in a statement shared with the media, a University of Pennsylvania spokesperson said, “We are continuing to investigate.”