The University of Pennsylvania experienced a cybersecurity breach between **October 31, 2025, and November 1, 2025**, where attackers gained unauthorized access to an employee’s **PennKey account** and exfiltrated sensitive data. The breach resulted in the public disclosure of **thousands of internal files**, including **internal communications, donor records, bank transaction receipts, and personal information (names, addresses, contact details)** of approximately **1.2 million students, alumni, and donors**. The attackers threatened to **sell or further disclose the data**, exposing victims to **identity theft, fraud, and financial risks**. The incident prompted a **class action lawsuit investigation** by Edelson Lechtzin LLP, highlighting severe reputational, financial, and operational consequences for the university.
TPRM report: https://www.rankiteo.com/company/pennsas
"id": "pen1803818110525",
"linkid": "pennsas",
"type": "Breach",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1,200,000 (students, alumni, '
'donors)',
'industry': 'Higher Education',
'location': 'Philadelphia, Pennsylvania, USA',
'name': 'University of Pennsylvania (Penn)',
'size': 'Large (Ivy League university, ~1.2M affected '
'individuals)',
'type': 'Educational Institution'}],
'attack_vector': ['Compromised Credentials (PennKey account)',
'Mass Email Phishing (likely)',
'Public Data Dump'],
'customer_advisories': ['Public notification via press release',
'Legal firm contact provided for affected parties'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Documents',
'Emails',
'Database records',
'Transaction logs'],
'number_of_records_exposed': '1,200,000',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes financial and personal '
'data)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Internal communications',
'Donor records',
'Bank transaction receipts',
'Contact details (names, '
'addresses)']},
'date_detected': '2025-10-31',
'date_publicly_disclosed': '2025-11-01',
'description': 'The University of Pennsylvania experienced a cybersecurity '
'breach between October 31, 2025, and November 1, 2025, '
'involving unauthorized access to its computer network. '
"Attackers gained 'full access' to a University employee’s "
'PennKey account and exported data on about 1.2 million '
'students, alumni, and donors. The leaked materials include '
'internal communications, donor records, bank transaction '
'receipts, and personal information (names, addresses, contact '
'details). The group published thousands of internal files on '
'a public forum and threatened further disclosure or sale of '
'the data.',
'impact': {'brand_reputation_impact': ['Class action lawsuit investigation',
'Loss of trust among '
'students/alumni/donors',
'Negative media coverage'],
'data_compromised': True,
'identity_theft_risk': ['High (personal data exposed: names, '
'addresses, contact details)'],
'legal_liabilities': ['Potential class action lawsuit (Edelson '
'Lechtzin LLP investigation)',
'Regulatory scrutiny'],
'operational_impact': ['Public disclosure of internal files',
'Reputational damage',
'Potential legal liabilities'],
'payment_information_risk': ['Moderate (bank transaction receipts '
'exposed)'],
'systems_affected': ['University computer network',
'PennKey account system']},
'initial_access_broker': {'data_sold_on_dark_web': ['Threatened (potential '
'future sale)'],
'entry_point': 'Compromised PennKey account '
'(employee credentials)',
'high_value_targets': ['Student/alumni/donor '
'databases',
'Internal communications',
'Financial records']},
'investigation_status': 'Ongoing (class action investigation by Edelson '
'Lechtzin LLP)',
'motivation': ['Financial Gain (potential data sale)',
'Disruption',
'Public Exposure'],
'ransomware': {'data_exfiltration': True},
'recommendations': ['Monitor financial accounts and credit reports for '
'suspicious activity',
'Implement multi-factor authentication (MFA) for all '
'critical accounts',
'Conduct a thorough review of access controls and '
'credential security',
'Enhance employee training on phishing and social '
'engineering attacks',
'Establish a clear incident response and communication '
'plan for future breaches'],
'references': [{'date_accessed': '2025-11-04',
'source': 'Edelson Lechtzin LLP Press Release',
'url': 'https://www.edelson-law.com'}],
'regulatory_compliance': {'legal_actions': ['Class action lawsuit '
'investigation (Edelson Lechtzin '
'LLP)']},
'response': {'communication_strategy': ['Public disclosure via press release',
'Advisory for affected individuals to '
'monitor accounts'],
'third_party_assistance': ['Legal firm (Edelson Lechtzin LLP - '
'investigation)']},
'stakeholder_advisories': ['Affected individuals advised to monitor accounts '
'for identity theft'],
'title': 'University of Pennsylvania Data Breach (2025)',
'type': ['Data Breach', 'Unauthorized Access', 'Data Exfiltration']}