University of Pennsylvania confirms recent cyberattack led to major data theft

News
By published

The University says it is still investigating

Users display warnings about the use of artificial intelligence (AI), access to malicious software or threats to online hackers. computer cyber security Warning concept or tech scam.
(Image credit: Shutterstock)
  • Hackers accessed University systems via stolen SSO credentials, stealing data on 1.2 million individuals
  • Offensive mass email followed partial lockout; University later confirmed the breach was real
  • Attack exploited weak MFA enforcement among senior staff through social engineering

It seems the “obviously fake” and “fraudulent” claims recently made by the University of Pennsylvania hackers are not so “obviously fake” and “fraudulent”, after all - as the organization has now confirmed hackers stole files from its systems.

Cybercriminals recently revealed they had obtained “full access” to a University employee’s PennKey SSO account, which gave them access to its VPN, Salesforce data, Qlik analytics platform, SAP business intelligence system, and SharePoint files. Using that access, they stole data on approximately 1.2 million students, alumni, and donors.

The information stolen allegedly includes people’s names, dates of birth, addresses, phone numbers, estimated net worth, donation history, and demographic details (race, religion, sexual orientation, and similar).

Investigating the attack

After being thrown out from most of the network, they used what remaining access they had to send an angry email to roughly 700,000 recipients:

"The University of Pennsylvania is a dog**** elitist institution full of woke ret*rds. We have terrible security practices and are completely unmeritocratic," the email said.

"We hire and admit morons because we love legacies, donors, and unqualified affirmative action admits. We love breaking federal laws like FERPA (all your data will be leaked) and Supreme Court rulings like SFFA."

At first, the University of Pennsylvania described the emails as “obviously fake” and “fraudulent”, but backtracked on these claims in a recent update:

“Penn’s staff rapidly locked down the systems and prevented further unauthorized access; however, not before an offensive and fraudulent email was sent to our community and information was taken by the attacker,” the update reads. “Penn is still investigating the nature of the information that was obtained during this time.”

Penn also said that the attack was done through social engineering. Most employees are required to use multi-factor authentication (MFA) but according to TechCrunch, some of the top brass was allowed to skip this step.

Via TechCrunch

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.