The University of Pennsylvania experienced a **cybersecurity breach** in late October 2023, where an anonymous hacker exploited **sophisticated social engineering (identity impersonation)** to gain unauthorized access to critical systems. The attacker compromised **Penn’s CRM (Salesforce), file repositories (SharePoint, Box), a reporting tool (QlikView), and Marketing Cloud**, exfiltrating sensitive data. Initially, the hacker claimed to have stolen records of **1.2 million students, alumni, and donors**, including **personal information, donor memos, bank transaction receipts, and details of high-profile individuals like former President Joe Biden’s family**. While Penn disputed the 1.2 million figure, forensic investigations remain ongoing, and the university confirmed **no evidence of fraudulent use of the data yet**.The breach triggered **multiple class-action lawsuits** alleging negligence in securing personal data. The attacker also sent **fraudulent emails** criticizing Penn’s hiring practices and urging recipients to halt donations. Penn contained the breach, reported it to the **FBI**, and warned the community about potential **phishing follow-ups**. The incident exposed systemic vulnerabilities, with **no medical records (Penn Medicine) compromised**, but the leaked data’s scope—including financial and personal details—poses **long-term reputational, legal, and operational risks** for the institution.
Source: https://www.inquirer.com/education/penn-data-breach-hack-update-20251117.html
Penn Admissions cybersecurity rating report: https://www.rankiteo.com/company/penn-admissions
"id": "PEN3202032111825",
"linkid": "penn-admissions",
"type": "Breach",
"date": "10/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Undetermined (initially claimed '
'1.2 million; Penn disputes this '
'figure)',
'industry': 'Higher Education',
'location': 'Philadelphia, Pennsylvania, USA',
'name': 'University of Pennsylvania (Penn)',
'size': 'Large (22,000+ students, 100,000+ '
'alumni/donors)',
'type': 'Educational Institution'}],
'attack_vector': 'Sophisticated identity impersonation (social engineering)',
'customer_advisories': 'Individuals to be notified once analysis is complete',
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Documents',
'Memos',
'Transaction receipts'],
'number_of_records_exposed': 'Undetermined (hacker claimed '
'1.2 million; Penn disputes '
'this)',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes financial, personal, '
'and donor data)',
'type_of_data_compromised': ['Personal information (students, '
'alumni, donors)',
'Donor memos and family details',
'Bank transaction receipts',
'Information about former '
'President Joe Biden’s '
'granddaughter']},
'date_detected': '2023-10-31',
'date_publicly_disclosed': '2023-10-31',
'description': 'An anonymous hacker claimed to have compromised data for ~1.2 '
'million students, donors, and alumni at the University of '
'Pennsylvania (Penn) via a sophisticated social engineering '
'attack. The university disputed the 1.2 million figure, '
'stating it was mischaracterized. The breach involved access '
'to Penn’s CRM (Salesforce), file repositories (SharePoint, '
'Box), a reporting application (Qlikview), and Marketing '
'Cloud. Personal data, donor memos, bank transaction receipts, '
'and information about former President Joe Biden’s '
'granddaughter (a Penn student) were among the exposed '
'records. The hacker planned to sell some data before public '
'release. Over a dozen class-action lawsuits were filed '
'alleging negligence in securing personal information. The FBI '
'was notified, and the breach was contained. Penn warned the '
'community about phishing risks and advised credit monitoring.',
'impact': {'brand_reputation_impact': 'Significant (public dispute over '
'breach scale, lawsuits, criticism of '
'security practices)',
'customer_complaints': 'Multiple class-action lawsuits filed (14+ '
'in federal/state courts)',
'data_compromised': True,
'identity_theft_risk': 'Potential (Penn advised credit monitoring '
'and fraud alerts)',
'legal_liabilities': '14+ proposed class-action lawsuits (alleging '
'failure to secure personal information)',
'operational_impact': 'Ongoing forensic investigation; delayed '
'notification to affected individuals',
'payment_information_risk': 'Yes (bank transaction receipts '
'accessed)',
'systems_affected': ['Customer Relationship Management (CRM) - '
'Salesforce',
'File repositories - SharePoint',
'File repositories - Box',
'Reporting application - Qlikview',
'Marketing Cloud']},
'initial_access_broker': {'data_sold_on_dark_web': 'Planned (hacker claimed '
'intent to sell data '
'before public release)',
'entry_point': 'Social engineering (identity '
'impersonation)',
'high_value_targets': ['Donor data',
'Financial records',
'Personal information of '
'high-profile individuals '
'(e.g., Joe Biden’s '
'granddaughter)']},
'investigation_status': 'Ongoing (forensic analysis incomplete; no timeline '
'provided)',
'motivation': ['Financial gain (planned data sale)',
'Activism (criticism of Penn’s hiring practices and donation '
'policies)'],
'post_incident_analysis': {'root_causes': 'Successful social engineering '
'attack exploiting human error'},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Enhance social engineering defenses (e.g., employee '
'training, multi-factor authentication)',
'Improve incident response timelines for forensic '
'investigations',
'Proactive communication with stakeholders during '
'breaches',
'Regular audits of third-party systems (e.g., Salesforce, '
'SharePoint, Box)'],
'references': [{'source': 'The Verge', 'url': 'https://www.theverge.com'},
{'source': 'Daily Pennsylvanian (Penn’s student newspaper)',
'url': 'https://www.thedp.com'},
{'source': 'University of Pennsylvania Incident Information '
'Page'}],
'regulatory_compliance': {'legal_actions': '14+ proposed class-action '
'lawsuits (federal/state courts)',
'regulatory_notifications': 'FBI notified'},
'response': {'communication_strategy': ['Public information page with updates',
'Warnings about phishing/suspicious '
'emails',
'Advisories to review credit reports '
'and activate fraud alerts'],
'containment_measures': 'Breach contained (as stated by Penn)',
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'recovery_measures': 'Ongoing forensic investigation; planned '
'notifications to affected individuals'},
'stakeholder_advisories': ['Warnings about phishing/suspicious emails',
'Advisories to review credit reports and activate '
'fraud alerts'],
'threat_actor': 'Anonymous hacker (self-claimed)',
'title': 'Cybersecurity Breach at the University of Pennsylvania',
'type': ['Data Breach', 'Social Engineering Attack', 'Unauthorized Access'],
'vulnerability_exploited': 'Human error (deception of individuals into '
'disclosing confidential information)'}