A recent breach at the University of Pennsylvania has escalated concerns about cybersecurity practices in higher education. A hacker has claimed responsibility for the incident, revealing extensive access to sensitive data affecting approximately 1.2 million donors and internal documents.
On Friday, alumni and students received alarming emails from addresses associated with Penn.edu, asserting that the university had suffered a significant data breach. These emails, which included derogatory remarks about the institution, raised immediate alarms regarding the university’s cybersecurity posture.
The hacker, who contacted BleepingComputer, maintained that their access to the university’s systems had been substantial, likening their intrusion to critical lapses in cybersecurity measures at the institution. They asserted that their group had acquired “full access” to a Penn employee’s PennKey single sign-on (SSO) account, subsequently gaining entrance to systems including VPN access, Salesforce data, the Qlik analytics platform, the SAP business intelligence system, and SharePoint files.
The implications of this breach are severe. The hacker claims to have extracted extensive personal information from donors and students, which includes sensitive details such as names, birth dates, addresses, phone numbers, estimated net worth, donation history, and demographic characteristics like religion, race, and sexual orientation. Concrete evidence supported these claims as the attacker disclosed screenshots and data samples to validate their assertions.
The breach reportedly occurred on October 30th, with data exfiltration concluding on October 31st, when the compromised employee account was subsequently locked. Despite the loss of access to the primary systems, the attacker retained entry to Salesforce Marketing Cloud, from which they distributed offensive emails to approximately 700,000 recipients.
In terms of methods, the hacker refrained from disclosing specifics regarding how they had acquired the credentials necessary for this breach, simply attributing their success to lapses in the university’s cybersecurity framework. Furthermore, they have since published a 1.7 GB archive alleged to contain spreadsheets, donation-related materials, and various files taken from the institution’s SharePoint and Box systems.
Surprisingly, the attacker stated that their actions were not motivated by monetary gain, asserting that their primary interest lay in the university’s extensive donor database. They expressed a disregard for potential financial extortion, claiming, “We can extract plenty of value out of the data ourselves.”
Guidance for Penn Donors
In light of this significant data exposure, it is imperative for Penn donors to remain vigilant against potential phishing and social engineering attempts. Attackers may exploit the acquired data to impersonate the university or solicit fraudulent donations, putting donors’ online accounts at risk.
Recipients of unexpected communications regarding donations should exercise caution, verifying any inquiries directly with the university before taking further action. Maintaining an awareness of cybersecurity practices can significantly mitigate the risk associated with such breaches.