In late October 2025, the University of Pennsylvania suffered a major data breach after a hacker compromised an employee’s PennKey SSO account, gaining unauthorized access to critical systems, including the VPN, Salesforce, analytics platforms, and internal files. The attacker exfiltrated sensitive personally identifiable information (PII) of approximately 1.2 million students, alumni, and donors, including names, dates of birth, addresses, phone numbers, financial/demographic data (estimated net worth, donation history), race, religion, and sexual orientation. The breach escalated when the hacker sent offensive emails to hundreds of thousands of recipients via Penn’s mailing list and publicly leaked samples of stolen data as proof. The incident was reported to the FBI, and the university issued a cybersecurity notice on November 4, 2025. Victims face risks of identity theft, phishing, and financial fraud, with legal firms (e.g., Shamis & Gentile P.A.) investigating potential class-action lawsuits for compensation covering credit monitoring, identity protection, and financial losses.
Source: https://www.claimdepot.com/investigations/university-of-pennsylvania-data-breach-2025
TPRM report: https://www.rankiteo.com/company/pennsas
"id": "pen4092440110525",
"linkid": "pennsas",
"type": "Breach",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1,200,000 (students, alumni, '
'donors)',
'industry': 'Higher Education',
'location': 'Philadelphia, Pennsylvania, USA',
'name': 'University of Pennsylvania (UPenn)',
'size': 'Large (16,000+ employees, 21,000+ students)',
'type': 'Educational Institution'}],
'attack_vector': ['Compromised Credentials (PennKey SSO)',
'Phishing/Social Engineering (likely)',
'VPN Exploitation'],
'customer_advisories': ['Monitor for Identity Theft',
'Report Suspicious Activity',
'Consider Credit Freezes'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Databases',
'Internal Documents',
'Mailing Lists'],
'number_of_records_exposed': '1,200,000',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['PII',
'Financial Data',
'Demographic Data',
'Sensitive Personal Attributes '
'(race, religion, sexual '
'orientation)']},
'date_detected': '2025-10-31',
'date_publicly_disclosed': '2025-11-04',
'description': 'In late October 2025, the University of Pennsylvania (UPenn) '
'experienced a significant data breach after a hacker '
'compromised an employee’s PennKey SSO account, gaining '
'unauthorized access to internal systems, including the VPN, '
'Salesforce data, analytics platforms, and internal files. The '
'attacker claimed to have obtained data on ~1.2 million '
'students, alumni, and donors, including sensitive personally '
'identifiable information (PII) such as names, dates of birth, '
'addresses, financial/demographic details, race, religion, and '
'sexual orientation. Offensive emails were sent via Penn’s '
'mailing list platform, and stolen data samples were posted '
'online. The university referred the incident to the FBI and '
'published a cybersecurity notice on Nov. 4, 2025.',
'impact': {'brand_reputation_impact': ['High (Ivy League institution; '
'sensitive data exposed)'],
'customer_complaints': ['Likely (given offensive emails and PII '
'exposure)'],
'data_compromised': ['Names',
'Dates of Birth',
'Addresses',
'Phone Numbers',
'Financial/Demographic Information (net '
'worth, donation history)',
'Race',
'Religion',
'Sexual Orientation'],
'identity_theft_risk': ['High (PII exposed)'],
'legal_liabilities': ['Potential Lawsuits (class action by Shamis '
'& Gentile P.A.)',
'Regulatory Scrutiny'],
'operational_impact': ['Unauthorized Email Campaigns',
'Reputation Damage',
'Investigation/Remediation Costs'],
'systems_affected': ['VPN',
'Salesforce',
'Analytics Platforms',
'Internal Files',
'Mailing List Platform']},
'initial_access_broker': {'data_sold_on_dark_web': ['Likely (sample data '
'posted online)'],
'entry_point': 'Compromised PennKey SSO Account',
'high_value_targets': ['Student/Alumni Donor '
'Databases',
'Financial/Demographic '
'Records']},
'investigation_status': 'Ongoing (FBI and internal investigation)',
'motivation': ['Data Theft',
'Financial Gain (potential ransom or dark web sale)',
'Disruption (offensive emails)'],
'post_incident_analysis': {'root_causes': ['Inadequate Authentication '
'Controls',
'Lack of Behavioral Anomaly '
'Detection',
'Overprivileged Access '
'(VPN/Salesforce)']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Implement Stronger MFA for SSO/VPN Access',
'Conduct Regular Security Awareness Training (Phishing '
'Resistance)',
'Enhance Monitoring for Unauthorized Data Exfiltration',
'Segment Critical Systems to Limit Lateral Movement',
'Offer Credit Monitoring/Identity Theft Protection to '
'Affected Individuals'],
'references': [{'source': 'Shamis & Gentile P.A. Investigation Notice'},
{'source': 'University of Pennsylvania Cybersecurity Incident '
'Notice (Nov. 4, 2025)'}],
'regulatory_compliance': {'legal_actions': ['Class Action Lawsuit '
'(investigated by Shamis & '
'Gentile P.A.)'],
'regulations_violated': ['Potential: FERPA (student '
'records)',
'State Data Breach Laws '
'(e.g., Pennsylvania '
'Breach of Personal '
'Information Notification '
'Act)'],
'regulatory_notifications': ['FBI',
'Possibly state '
'regulators (not '
'specified)']},
'response': {'communication_strategy': ['Cybersecurity Incident Notice (Nov. '
'4, 2025)',
'FAQs for Affected Individuals'],
'containment_measures': ['SSO Account Revocation',
'VPN Access Restrictions',
'System Isolation (likely)'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'recovery_measures': ['Public Notice (FAQs published)',
'Stakeholder Communication'],
'remediation_measures': ['Forensic Investigation',
'Password Resets',
'Enhanced Monitoring'],
'third_party_assistance': ['Law Enforcement (FBI)',
'Technical Experts (unspecified)']},
'stakeholder_advisories': ['Public FAQs', 'Lawyer-Led Compensation Claims'],
'title': 'University of Pennsylvania Data Breach (2025)',
'type': ['Data Breach', 'Unauthorized Access', 'Identity Theft Risk'],
'vulnerability_exploited': ['Weak Authentication (SSO)',
'Insufficient Multi-Factor Authentication (MFA)',
'Lateral Movement within Internal Systems']}