The University of Pennsylvania suffered a targeted email hack where attackers exploited a PennKey single sign-on (SSO) account belonging to a university employee via social engineering. The breach granted unauthorized access to multiple systems, including the Customer Relationship Management (CRM) platform, file repositories, a reporting application, and Marketing Cloud, compromising data of 1.2 million students, alumni, and donors. Hackers claimed to have stolen donor records, bank transactions, and internal memos, threatening to sell or leak the data for financial gain. While Penn restored systems and engaged law enforcement (FBI) and CrowdStrike for investigation, the full scope of exposed data remains unverified. The attack involved mass phishing emails sent from the Graduate School of Education’s system, demanding ransom and criticizing the university’s security. Victims are now filing lawsuits, alleging negligence in safeguarding personal information. The university has yet to confirm the exact data stolen but advises affected individuals to enable credit freezes, multi-factor authentication (MFA), and password resets as precautionary measures.
Source: https://technical.ly/civics/penn-email-breach-lawsuits-hackers/
TPRM report: https://www.rankiteo.com/company/pennsas
"id": "pen3232532110625",
"linkid": "pennsas",
"type": "Breach",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1,200,000 (claimed; unverified)',
'industry': 'Higher Education',
'location': 'Philadelphia, Pennsylvania, USA',
'name': 'University of Pennsylvania',
'size': 'Large (20,000+ students, 1.2M+ alumni/donors '
'affected)',
'type': 'Educational Institution'}],
'attack_vector': ['Stolen Credentials (PennKey SSO)',
'Social Engineering',
'Phishing',
'Mass Email Spoofing'],
'customer_advisories': ['Place a credit freeze via Equifax, Experian, and '
'TransUnion.',
'Enable MFA on all accounts (especially '
'email/banking).',
'Monitor accounts for suspicious transactions.',
'Avoid clicking links in unsolicited '
'emails/calls.',
'Review Penn’s FAQ for updates: '
'[https://www.upenn.edu/2025-email-breach-faq](https://www.upenn.edu/2025-email-breach-faq).'],
'data_breach': {'data_exfiltration': 'Yes (documents leaked on LeakForum; '
'data threatened for sale)',
'file_types_exposed': ['PDFs (Internal Memos)',
'Spreadsheets (Donor/Bank Data)',
'Emails',
'CRM Exports'],
'number_of_records_exposed': '1,200,000 (claimed; unverified '
'by Penn)',
'personally_identifiable_information': ['Names',
'Email Addresses',
'Donor Profiles',
'Potential '
'SSNs/Financial Data '
'(unconfirmed)'],
'sensitivity_of_data': 'High (financial, PII, internal '
'communications)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Donor Financial Records',
'Internal University Documents',
'Bank Transactions',
'Marketing Data']},
'date_detected': '2025-10-31',
'date_publicly_disclosed': '2025-11-01',
'date_resolved': '2025-11-08',
'description': "Hackers accessed the University of Pennsylvania's systems via "
'a compromised PennKey account (single sign-on), gaining entry '
'to CRM, file repositories, reporting applications, and '
'Marketing Cloud. They sent mass emails threatening to leak '
'data and claimed to have accessed records of over 1.2 million '
'students, alumni, and donors. The breach appears financially '
'motivated, with hackers targeting donor data, including bank '
'transactions and internal documents. The university has '
'restored systems but is still investigating the full extent '
'of the breach. Multiple lawsuits have been filed by alumni '
'over alleged negligence in data security.',
'impact': {'brand_reputation_impact': ["Severe; Public Criticism of 'Dogshit "
"Elitist Institution'",
'Loss of Trust in Data Security',
'Negative Media Coverage'],
'customer_complaints': ['Multiple Lawsuits from Alumni',
'Community Outrage Over Security Failures'],
'data_compromised': ['Donor Records',
'Bank Transactions',
'Internal Memos',
'Student/Alumni/Donor PII (claimed 1.2M '
'records)',
'Marketing Cloud Data',
'File Repository Contents'],
'downtime': 'Systems restored within ~1 week (by 2025-11-08)',
'identity_theft_risk': ['High; Experts Recommend Credit Freezes',
'PII of 1.2M+ Individuals Potentially '
'Exposed'],
'legal_liabilities': ['Four Lawsuits Filed (as of 2025-11-05)',
'Allegations of Negligence in Data Security',
'Potential Regulatory Scrutiny'],
'operational_impact': ['Mass Fraudulent Emails Sent',
'Ongoing Investigation Disruptions',
'Reputation Damage',
'Legal Liabilities (Multiple Lawsuits '
'Filed)'],
'payment_information_risk': ['Bank Transaction Data Accessed',
'Donor Financial Records Compromised'],
'systems_affected': ['PennKey SSO',
'Customer Relationship Management (CRM)',
'File Repositories',
'Reporting Application',
'Marketing Cloud',
'Graduate School of Education Email System']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (threatened sale on '
'LeakForum before public '
'leak)',
'entry_point': 'Compromised PennKey (SSO) account '
'via social engineering',
'high_value_targets': ['Donor Databases',
'Bank Transaction Records',
'Ultra-High-Net-Worth '
'Individual Profiles'],
'reconnaissance_period': 'Unknown (but hackers '
"claimed Penn’s 'weak "
"authentication' made it "
'easy)'},
'investigation_status': 'Ongoing (as of 2025-11-08); Penn has not verified '
'the full scope of exfiltrated data.',
'lessons_learned': ['Single Sign-On (SSO) systems require robust MFA and '
'anomaly detection.',
'Mass email systems need multi-person approval and '
'stricter access controls.',
'Donor/financial data should be segmented from general '
'university systems.',
'Proactive credit monitoring/identity protection should '
'be offered post-breach.',
'Transparency in communication is critical to maintain '
'trust during investigations.'],
'motivation': ['Financial Gain',
'Data Theft for Resale',
"Extortion (threatened leak of 'all your data')"],
'post_incident_analysis': {'corrective_actions': ['Mandatory MFA rollout for '
'all university systems.',
'Segmentation of '
'donor/financial data from '
'general networks.',
'Two-person approval for '
'mass emails/data exports.',
'Enhanced monitoring for '
'anomalous logins/exports.',
'Third-party security audit '
'of PennKey and CRM '
'systems.'],
'root_causes': ['Lack of MFA on PennKey SSO '
'accounts.',
'Over-permissive access to '
'CRM/donor systems.',
'Inadequate controls for mass '
'email sending.',
'Social engineering vulnerability '
'(employee tricked into sharing '
'credentials).',
'Delayed public disclosure of '
'breach details.']},
'ransomware': {'data_exfiltration': 'Yes (but not ransomware-related; '
'extortion via threatened leak)'},
'recommendations': ['Implement universal MFA for all PennKey accounts.',
'Conduct a full audit of SSO permissions and reduce '
'over-privileged access.',
'Establish two-person approval for mass emails and '
'data exports.',
'Offer free credit freezes/identity protection to '
'affected individuals.',
'Enhance phishing training for staff/students to '
'prevent social engineering.',
'Isolate donor/financial systems from general '
'university networks.',
'Publish a detailed post-mortem to rebuild trust with '
'the community.'],
'references': [{'date_accessed': '2025-11-08',
'source': 'Technical.ly',
'url': 'https://technical.ly/philly/2025/11/05/university-of-pennsylvania-hack-data-breach/'},
{'date_accessed': '2025-11-07',
'source': 'Bleeping Computer',
'url': 'https://www.bleepingcomputer.com/news/security/university-of-pennsylvania-hackers-claim-to-have-stolen-data-of-12-million/'},
{'date_accessed': '2025-11-07',
'source': 'The Verge',
'url': 'https://www.theverge.com/2025/11/6/23945678/penn-hackers-donor-data-leak-forum-sale'},
{'date_accessed': '2025-11-08',
'source': 'Daily Pennsylvanian',
'url': 'https://www.thedp.com/2025/11/05/penn-hack-lawsuit-alumni-data-breach'},
{'date_accessed': '2025-11-08',
'source': 'Penn FAQ on the Incident',
'url': 'https://www.upenn.edu/2025-email-breach-faq'}],
'regulatory_compliance': {'legal_actions': ['Four Lawsuits Filed by Alumni '
'(2025-11-04)',
'Potential Violations of '
'State/Federal Data Protection '
'Laws (e.g., FERPA)'],
'regulatory_notifications': ['FBI Notified',
'Potential State '
'Attorney General '
'Disclosures '
'(pending)']},
'response': {'communication_strategy': ['Public FAQ Released',
'Emails to Community Warning of '
'Phishing Risks',
'Media Statements via Interim CIO'],
'containment_measures': ['Systems Locked Down to Prevent Further '
'Access',
'Mass Email Controls Tightened'],
'enhanced_monitoring': 'Yes (post-incident)',
'incident_response_plan_activated': 'Yes (with third-party '
'cybersecurity firm '
'CrowdStrike)',
'law_enforcement_notified': 'Yes (Federal Bureau of '
'Investigation)',
'recovery_measures': ['All Systems Restored by 2025-11-08',
'Enhanced Monitoring Implemented'],
'remediation_measures': ['Ongoing Investigation to Determine '
'Exfiltrated Data',
'Password Resets (Recommended)',
'Permission Audits for Mass Emails'],
'third_party_assistance': ['CrowdStrike (Investigation)',
'FBI (Reported to Law Enforcement)']},
'stakeholder_advisories': ['Force password resets for all PennKey users.',
'Audit and restrict permissions for mass email '
'systems.',
'Monitor dark web for leaked Penn data.',
'Prepare for potential regulatory inquiries (e.g., '
'FTC, state AGs).'],
'threat_actor': ['Unknown (financially motivated)',
'Allegedly targeted ultra-high-net-worth donor data'],
'title': 'University of Pennsylvania Email Hack and Data Breach (2025)',
'type': ['Data Breach',
'Email Hack',
'Credential Theft',
'Social Engineering'],
'vulnerability_exploited': ['Weak Authentication System',
'Lack of Multi-Factor Authentication (MFA)',
'Insufficient Mass Email Controls',
'Over-Permissive Access to CRM/Donor Data']}