The University of Pennsylvania is working with the FBI to investigate a significant cybersecurity breach after a group of hackers released thousands of internal documents on November 1. The group claims to have accessed personal data belonging to 1.2 million students, alumni, and donors, and has published sensitive files including donor information and confidential university memos.
The incident began with a series of mass spam emails sent from university-affiliated accounts on October 31, criticizing the institution's security and admissions practices. Following the emails, the alleged hackers posted a portion of the stolen data online, promising a larger public release in the coming months.
Key Takeaways
- Hackers claim to have data on 1.2 million individuals associated with the University of Pennsylvania.
- Released documents include donor records, financial transactions, and internal university communications.
- The group stated their motivation was to expose what they call a preference for legacies and donors over merit.
- The University has reported the breach to the FBI and is actively investigating the incident.
Details of the Released Data
The documents released by the group provide a glimpse into the scope of the breach. The data dump, which the hackers called an "appetizer," appeared on a public forum and contained a wide range of sensitive information. Among the files were spreadsheets detailing wire transfers and ACH transactions from individuals and corporations to the Graduate School of Education (GSE).
Personal information such as contributor addresses, phone numbers, and demographic data was also included. In a particularly sensitive disclosure, some memos contained notes about the children of donors and board members, including whether they planned to apply to Penn.
The hackers posted a message alongside the data, stating they gained "full access" to a university employee’s account, which allowed them to export the vast dataset. They also indicated plans to sell some of the data before a full public release, which they said would happen within one to two months.
By the Numbers
- 1.2 million: The number of individuals whose data the hackers claim to have stolen.
- November 1: The date the initial batch of internal files was released online.
- October 31: The date the Penn community received mass spam emails from the hackers.
Hackers' Stated Motivations and Criticisms
In their online statements, the individuals claiming responsibility outlined their reasons for targeting the university. They cited Penn’s “fairly weak authentication system” as a technical vulnerability that made the institution an attractive target. However, their primary motivation appears to be ideological.
"We think Penn is tipping the scales in favor of legacies and donors is equally if not more egregious than its affirmative action practices," the hacker told The Verge.
This sentiment was echoed in the initial spam emails sent to the Penn community, which criticized the university for its alleged preference for "legacies, donors, and unqualified affirmative action admits." The hackers described the emails as a "fun rant" sent after they had already secured the data.
They also used their online post to correct what they called mischaracterizations of the breach by media outlets, emphasizing it was not merely a compromise of an email marketing system. "We want to debunk the claim that it was only an email marketing compromise," the message stated, justifying the release of internal files from the university's SharePoint and Box storage systems.
Internal Memos Expose University Strategy
Perhaps the most revealing part of the data leak is the inclusion of confidential talking points circulated among Penn communications staff. These documents show how the university prepared to handle several recent high-profile controversies.
Guidance on Magill's Congressional Testimony
One memo provided guidance on how to discuss former Penn President Liz Magill’s controversial testimony before Congress regarding campus antisemitism. The document instructed staff that it was "truthful to say that it is context-specific whether hateful speech legally constitutes bullying or harassment."
It further explained Magill's legal constraints during the hearing.
"When testifying in front of congress, Liz Magill and her peers from Harvard and MIT were under oath. When under oath, answers must be completely truthful."
Magill’s testimony led to widespread backlash and her eventual resignation in December 2023.
Memos on Joe Biden and Other Issues
Another document from 2023 contained talking points about President Joe Biden’s time as a professor at the university. The memo asserted that he "was in fact phenomenally successful" and that "Penn is pleased with the role that President Biden played at the University." The hackers specifically claimed to have acquired data related to Biden and his family.
Other internal memos advised employees on how to discuss sensitive topics like the Palestine Writes Literature Festival and comments made by law professor Amy Wax.
A Pattern in Higher Education
Cyberattacks on universities are becoming increasingly common. This breach follows a similar incident at Columbia University over the summer, where a hacker accessed personal information, including Social Security numbers, of over 1.8 million applicants, students, and staff. These events highlight the significant security challenges facing higher education institutions, which hold vast amounts of sensitive personal and financial data.
University Response and Investigation
The University of Pennsylvania has acknowledged the breach and is taking steps to address it. In an email to the Graduate School of Education community, a spokesperson described the initial spam emails as "highly offensive" and not reflective of the university's mission.
The statement confirmed that the university's IT and Crisis Response Teams were working to stop the emails and investigate the source. On Monday, Penn officially announced it had reported the incident to the FBI and was coordinating with other law enforcement agencies.
The FBI has declined to comment on the matter, citing the ongoing investigation. As the university and federal authorities work to understand the full extent of the breach, the Penn community is left waiting to see what other information may be released and what the long-term consequences of this significant security failure will be.
