- University of Pennsylvania confirms hackers stole data on 1.2 million people.
- Attackers gained access through a stolen single sign-on account.
- Weak MFA enforcement among senior staff helped hackers bypass security.
- Offensive mass email exposed the breach before systems were locked down.
The University of Pennsylvania has confirmed it was the victim of a major cyberattack that led to the theft of data belonging to around 1.2 million people.
The stolen information reportedly includes names, dates of birth, addresses, phone numbers, estimated net worth, donation history, and demographic details such as race, religion, and sexual orientation.
According to university officials, the attack began when hackers gained access to an employee’s PennKey single sign-on account. With that access, the attackers infiltrated multiple internal systems, including the university’s VPN, Salesforce data, Qlik analytics platform, SAP business intelligence system, and SharePoint files.
Investigators say the attack was carried out using social engineering, a common cybercrime tactic that tricks individuals into revealing their login details or authentication codes.
Although most university employees are required to use multi-factor authentication, a few senior officials reportedly had exemptions from this requirement, which the hackers were able to exploit.
Offensive Email Exposes the Breach
Before the attackers were completely removed from the university’s network, they used the remaining access to send a mass email to nearly 700,000 students, staff, and alumni. The email contained offensive language, criticized the institution’s policies, and claimed that the hackers had full access to its systems.
At first, the university described the emails as “obviously fake” and “fraudulent.” However, after further investigation, officials confirmed that the breach was real and that some of the claims made by the attackers were accurate.
In a recent update, the university stated that its staff acted quickly to contain the breach but admitted that sensitive data had been stolen before systems could be fully secured.
Data on 1.2 Million Individuals Exposed
The hackers claim they accessed and stole data on 1.2 million students, alumni, and donors. The stolen information includes personal identifiers, contact details, and sensitive demographic information.
Some reports also suggest the attackers obtained records showing individuals’ donation histories and even internal financial analytics about estimated net worth.
This type of data is particularly valuable to cybercriminals because it can be used for identity theft, extortion, or targeted phishing campaigns. Experts warn that the exposure of demographic and financial data could make victims more vulnerable to scams and other social engineering attacks in the future.
University’s Response and Investigation
Following the incident, the University of Pennsylvania said it immediately locked down affected systems and began a full investigation with the help of cybersecurity experts. The university also reported the attack to federal authorities and has been working to identify all individuals whose data may have been compromised.
Officials emphasized that the investigation is ongoing, and the exact scope of the stolen data is still being determined. The university has urged students, staff, and alumni to remain alert for suspicious emails, phone calls, or messages that could be attempts to exploit the stolen data.
The University of Pennsylvania said it plans to strengthen its cybersecurity measures to prevent similar incidents in the future. This includes expanding mandatory multi-factor authentication, improving employee training to recognize phishing and social engineering attacks, and enhancing network monitoring systems.
Security Lessons for Other Institutions
Cybersecurity experts say the Penn breach is a clear reminder that even elite universities are vulnerable to sophisticated attacks. Many academic institutions store large amounts of personal and financial data, making them attractive targets for hackers. The incident highlights the dangers of weak authentication practices and the need for continuous staff awareness training.
Experts also point out that social engineering remains one of the most effective tools for cybercriminals. Even a single compromised account can open the door to large-scale data theft if proper access controls and security protocols are not enforced.
The University of Pennsylvania’s ongoing investigation will likely reveal more about how the attackers gained and maintained access. For now, the university community continues to deal with the aftermath of what has become one of the most significant higher-education data breaches of the year.
Follow TechBSB For More Updates
