Breach cyber

University of Pennsylvania

Nov 12, 2025 2 min read
University of Pennsylvania

The University of Pennsylvania confirmed a massive data breach on November 5, exposing over 1.2 million records of students, alumni, staff, and community affiliates. The breach originated from a social engineering scam, where attackers compromised systems linked to the university’s development and alumni activities. Stolen data includes personally identifiable information (PII), some dating back decades, along with banking details, though no medical records were affected. Fraudulent emails were sent to members of the Penn community, impersonating the Graduate School of Education (GSE), before the university locked down affected systems. The lack of multifactor authentication (MFA) on certain accounts was identified as a key vulnerability, enabling unauthorized access and data theft. The incident underscores the risks of phishing attacks and inadequate access controls in educational institutions, leading to large-scale exposure of sensitive personal and financial data with potential long-term repercussions for identity theft and fraud.

Source: https://www.kaseya.com/?post_type=post&p=25545

Penn Admissions cybersecurity rating report: https://www.rankiteo.com/company/penn-admissions

"id": "PEN3732337111225",
"linkid": "penn-admissions",
"type": "Breach",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '1.2 million (students, alumni, '
                                              'staff, community affiliates)',
                        'industry': 'Education',
                        'location': 'United States',
                        'name': 'University of Pennsylvania',
                        'type': 'Educational Institution'}],
 'attack_vector': 'Social Engineering, Phishing Emails',
 'customer_advisories': 'Emails sent to affected community members',
 'data_breach': {'data_exfiltration': True,
                 'number_of_records_exposed': '1.2 million',
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High (includes decades-old PII and '
                                        'financial data)',
                 'type_of_data_compromised': ['PII', 'Banking Details']},
 'date_detected': '2023-10-31',
 'date_publicly_disclosed': '2023-11-05',
 'description': 'The University of Pennsylvania confirmed a massive data '
                'breach on November 5, exposing the personal information of '
                'students, alumni, staff, and community affiliates. The breach '
                'involved over 1.2 million records, including PII and banking '
                'details (but no medical information). The attack began with a '
                'social engineering scam, and fraudulent emails were sent to '
                'the Penn community. Lack of multifactor authentication (MFA) '
                'was identified as a key vulnerability.',
 'impact': {'brand_reputation_impact': 'High (trust erosion among students, '
                                       'alumni, and affiliates)',
            'data_compromised': ['Personally Identifiable Information (PII)',
                                 'Banking Details'],
            'identity_theft_risk': 'High',
            'operational_impact': 'Fraudulent emails sent, systems locked down '
                                  'post-breach',
            'payment_information_risk': 'High',
            'systems_affected': ['Development and Alumni Activity Systems']},
 'initial_access_broker': {'entry_point': 'Social Engineering (phishing '
                                          'emails)',
                           'high_value_targets': ['Development and Alumni '
                                                  'Systems']},
 'investigation_status': 'Concluded (breach confirmed, systems secured)',
 'lessons_learned': 'Enforce multifactor authentication (MFA) across all '
                    'accounts and implement stricter access controls to '
                    'mitigate social engineering risks.',
 'motivation': 'Data Theft, Fraud',
 'post_incident_analysis': {'corrective_actions': ['System lockdown',
                                                   'Public disclosure'],
                            'root_causes': ['Lack of MFA',
                                            'Successful social engineering '
                                            'attack']},
 'recommendations': ['Enable MFA for all user accounts',
                     'Conduct regular security awareness training',
                     'Monitor for unauthorized access attempts'],
 'references': [{'source': 'University of Pennsylvania Breach Notification'}],
 'response': {'communication_strategy': 'Public disclosure, email '
                                        'notifications to affected parties',
              'containment_measures': ['Locked down affected systems'],
              'incident_response_plan_activated': True},
 'title': 'University of Pennsylvania Data Breach',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Lack of Multifactor Authentication (MFA)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.