University of Pennsylvania confirms hacker stole data during cyberattack

The University of Pennsylvania confirmed connected Tuesday that a hacker stole assemblage information arsenic portion of last week’s information breach, during which alumni and different affiliates received suspicious emails from authoritative assemblage email addresses.

“We got hacked,” the connection from the hackers read. “We emotion breaking national laws similar FERPA (all your information volition beryllium leaked),” the connection added. “Please halt giving america money.”

While Penn initially told TechCrunch that the email was “fraudulent,” the assemblage has present confirmed the hacker’s assertion that information was taken during the breach.

“On October 31, Penn discovered that a prime radical of accusation systems related to Penn’s improvement and alumni activities had been compromised,” the assemblage wrote successful a statement, which was emailed to alumni and shared online. “Penn’s unit rapidly locked down the systems and prevented further unauthorized access; however, not earlier an violative and fraudulent email was sent to our assemblage and accusation was taken by the attacker.”

(Disclosure: As an alumna and erstwhile worker of the university, the hackers sent the connection to my idiosyncratic email 3 times, each coming from antithetic official @upenn.edu email addresses, including 1 from a elder Penn unit member.)

A partially redacted email sent by hackers from a assemblage of Pennsylvania email address.Image Credits:TechCrunch (Screenshot)

The assemblage said that the breach occurred owed to a social engineering attack, a hacking method successful which individuals are tricked into handing implicit delicate accusation similar log-in credentials, possibly done phishing oregon a telephone call.

A Penn employee, who we are not naming arsenic they were not authorized to talk to the press, told TechCrunch that the assemblage requires students, staff, and alumni to usage multi-factor authentication (MFA) connected their accounts arsenic a information measure; however, the worker said that immoderate high-ranking officials were granted exemptions to MFA requirements.

TechCrunch asked Penn astir these alleged MFA exceptions, and if the assemblage could supply a percent of MFA adoption among staff. Penn spokesperson Ron Ozio declined to remark to TechCrunch beyond Penn’s official information incidental page.

As required by law, Penn said it volition interaction individuals whose idiosyncratic accusation was accessed by hackers. The assemblage has not said erstwhile these notifications volition occur, however galore radical are affected, oregon what accusation was accessed.

The Daily Pennsylvanian reports that the alleged Penn hacker claimed to person taken documents relating to assemblage donors, slope transaction receipts, and personally identifiable information. The hacker said they were financially motivated,

Earlier this year, hackers breached Columbia University, accessing delicate accusation astir about 870,000 students and applicants, including their Social Security numbers and citizenship status.

Both the Penn and Columbia hacks look motivated by discontent with affirmative enactment policies. In the email that the Penn hacker sent to the assemblage community, the hacker wrote, “We prosecute and admit morons due to the fact that we emotion legacies, donors, and unqualified affirmative enactment admits.” Meanwhile, the Columbia hacker told Bloomberg that they sought to entree information from the assemblage to analyse its affirmative enactment practices.

If you person much accusation astir the Penn hack, you tin interaction Amanda Silberling securely connected Signal astatine @amanda.100, oregon by email, from a non-work device.