Breach cyber

University of Pennsylvania (Penn)

Nov 2, 2024 2 min read
University of Pennsylvania (Penn)

The University of Pennsylvania (Penn) suffered a significant data breach targeting its information systems, compromising the confidential data of 1.2 million students, alumni, and donors. The breach, disclosed on November 2, 2024, led to a wave of class-action lawsuits from graduates alleging negligence in cybersecurity measures. Plaintiffs claim Penn failed to maintain adequate security systems, monitor for intrusions, or ensure third-party vendors followed proper protocols. The stolen data reportedly includes Personally Identifiable Information (PII), though the full scope remains under investigation. Penn confirmed the breach was contained but has not detailed the exact nature of the exposed data. Lawsuits argue the impact is far broader than acknowledged, with long-term repercussions expected for affected individuals, including potential identity theft, financial fraud, or reputational harm. The incident underscores systemic vulnerabilities in Penn’s data protection framework, raising concerns over compliance and trust among stakeholders.

Source: https://www.thedp.com/article/2025/11/penn-lawsuits-data-breach-class-action

TPRM report: https://www.rankiteo.com/company/pennsas

"id": "pen1962019110525",
"linkid": "pennsas",
"type": "Breach",
"date": "11/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '1.2 million (students, alumni, '
                                              'and donors)',
                        'industry': 'Higher Education',
                        'location': 'Philadelphia, Pennsylvania, USA',
                        'name': 'University of Pennsylvania (Penn)',
                        'type': 'Educational Institution'}],
 'customer_advisories': ['Email to community (Nov. 2023)',
                         "Dedicated webpage: 'Cybersecurity incident "
                         "information and FAQ'"],
 'data_breach': {'data_exfiltration': 'Yes (claimed by hacker)',
                 'number_of_records_exposed': '1.2 million',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (PII of students, alumni, and '
                                        'donors)',
                 'type_of_data_compromised': ['Personally Identifiable '
                                              'Information (PII)']},
 'date_publicly_disclosed': '2023-11-02',
 'description': 'The University of Pennsylvania (Penn) faced a security breach '
                "of 'select information systems,' leading to multiple class "
                'action lawsuits filed by alumni. The breach allegedly exposed '
                'data from 1.2 million students, alumni, and donors. '
                'Plaintiffs claim Penn failed to implement adequate '
                'cybersecurity measures, including monitoring for intrusions '
                'and ensuring vendor security. The University has stated the '
                'breach is contained but is still investigating the extent of '
                'the compromised data.',
 'impact': {'brand_reputation_impact': 'Significant (multiple lawsuits '
                                       'alleging negligence)',
            'customer_complaints': ['Four class action lawsuits filed by '
                                    'alumni'],
            'data_compromised': ['Personally Identifiable Information (PII) of '
                                 'students, alumni, and donors'],
            'identity_theft_risk': 'Potential (PII exposed)',
            'legal_liabilities': ['Four class action lawsuits filed '
                                  '(Christopher Kelly, Mary Sikora, Christian '
                                  'Bersani, Kelli Mackey)'],
            'systems_affected': ['Select information systems']},
 'investigation_status': "Ongoing (University investigating 'nature of the "
                         "information' obtained)",
 'references': [{'source': 'The Daily Pennsylvanian'},
                {'date_accessed': '2023-11-02', 'source': 'BleepingComputer'},
                {'date_accessed': '2023-11-02 (approximate)',
                 'source': 'University of Pennsylvania Community Email (Joshua '
                           'Beeman)'}],
 'regulatory_compliance': {'legal_actions': ['Four class action lawsuits filed '
                                             '(negligence claims)']},
 'response': {'communication_strategy': ['Email to community from Joshua '
                                         'Beeman (interim VP of IT and CIO)',
                                         "Dedicated webpage: 'Cybersecurity "
                                         "incident information and FAQ'"],
              'containment_measures': 'Breach contained (as of Nov. 2023)',
              'incident_response_plan_activated': 'Yes (breach contained per '
                                                  'University statement)'},
 'stakeholder_advisories': ['Email to community (Nov. 2023)',
                            "Dedicated webpage: 'Cybersecurity incident "
                            "information and FAQ'"],
 'threat_actor': {'claim': 'Responsibility for stealing data from 1.2 million '
                           'individuals',
                  'name': 'Unnamed hacker(s)'},
 'title': 'University of Pennsylvania Data Breach and Class Action Lawsuits',
 'type': ['Data Breach', 'Class Action Lawsuits']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.