The University of Pennsylvania acknowledged Tuesday that hackers stole the university's data as part of last week's data breach, during which alumni and other officials received suspicious emails from official university email addresses.
The message from the hacker read, “We have been hacked.” “We love breaking federal laws like FERPA (all your data will be leaked),” the message added. “Please stop giving me money.”
Penn initially told TechCrunch that the email was “fraudulent,” but the university has now acknowledged the hackers' claims that the data was stolen during the breach.
“On October 31, Penn discovered that a select group of information systems related to university development and alumni activities had been compromised,” the university said in a statement, which was emailed to alumni and shared online. “Penn staff quickly locked down the system and prevented further unauthorized access, but not before aggressive and fraudulent emails were sent to our community and information was stolen by the attackers.”
(Disclosure: The hacker, a University alumnus and former employee, sent messages to my personal email address three times, each with a different official @upenn.edu address, including one from a senior Penn staff member.)
A partially redacted email sent by a hacker from a University of Pennsylvania email address. Image credit: TechCrunch (screenshot)
The university said the breach occurred through a social engineering attack. Social engineering attacks are hacking techniques in which individuals are tricked into handing over sensitive information, such as login credentials, perhaps through phishing or phone calls.
A Penn staff member, who declined to be named because he is not authorized to speak to the press, told TechCrunch that the university requires students, employees and alumni to use multi-factor authentication (MFA) on their accounts as a security measure. However, the employee said some senior officials were granted exemptions from the MFA requirement.
TechCrunch asked Penn about these alleged MFA exceptions and whether universities can provide MFA adoption rates for their employees. Penn spokesperson Ron Ozio declined to comment to TechCrunch outside of Penn's official data incident page.
Penn said he would contact individuals whose personal information was accessed by the hackers, as required by law. The university did not say when these notifications would be made, how many people would be affected or what information would be accessed.
The Daily Pennsylvanian reported that the pen hacker claimed to have stolen documents related to university donors, bank transaction receipts and personally identifiable information. The hackers said they were financially motivated.
Earlier this year, hackers broke into Columbia University and accessed sensitive information, including Social Security numbers and citizenship status, on approximately 870,000 students and applicants.
Both the Pennsylvania and Columbia hacks appear to be motivated by dissatisfaction with affirmative action policies. In an email sent by the Penn State hacker to the university community, the hacker wrote, “We love our heritage and our donors, and we embrace and embrace fools because we allow unconditional affirmative action.” Meanwhile, hackers at Columbia University told Bloomberg they sought to access the university's data to investigate its affirmative action practices.
If you would like more information about the Penn hack, you can contact Amanda Silberling securely on Signal (@amanda.100) or by email from a non-work device.