"We have terrible security practices" - University of Pennsylvania hackers say they've stolen over a million records in major cyberattack

News
By published

Hackers also insulted the University

A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
(Image credit: Shutterstock)
  • Attacker accessed University systems via compromised SSO, stealing data on 1.2 million individuals
  • Offensive mass email sent post-ejection using retained access to Salesforce Marketing Cloud
  • Stolen data includes PII, financials, and demographics; attacker targets wealthy donors, no ransom planned

Cybercriminals have claimed responsibility for the recent cyberattack on the University of Pennsylvania, claiming they stole data on approximately 1.2 million students, alumni, and donors.

An unnamed threat actor told BleepingComputer they gained “full access” to a University employee’s PennKey SSO account, which gave them access to Penn’s VPN, Salesforce data, Qlik analytics platform, SAP business intelligence system, and SharePoint files.

The information stolen allegedly includes people’s names, dates of birth, addresses, phone numbers, estimated net worth, donation history, and demographic details (race, religion, sexual orientation, and similar).

Offensive emails

The confirmation came in response to the University’s claims which somewhat downplayed the severity of the hit.

Data exfiltration seems to have taken place around October 30 and 31, after which the University spotted the intrusion and ousted the attacker. The move seems to have angered them, as they then used access to Salesforce Marketing Cloud (which they kept), to send an offensive email to roughly 700,000 recipients.

"The University of Pennsylvania is a dog**** elitist institution full of woke ret*rds. We have terrible security practices and are completely unmeritocratic," the email said.

"We hire and admit morons because we love legacies, donors, and unqualified affirmative action admits. We love breaking federal laws like FERPA (all your data will be leaked) and Supreme Court rulings like SFFA."

The University of Pennsylvania described the emails as “obviously fake” and “fraudulent”.

The attackers then confirmed they will not ask the University for a ransom payment, since they don’t think the victims would pay, anyway. "The main goal was their vast, wonderfully wealthy donor database,” they said.

It would seem they will try to target the donors now.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.