Hackers breach University of Pennsylvania’s information systems

On October 31, hackers breached the University of Pennsylvania’s information systems and managed to not only steal sensitive data, but also deploy a malicious email to the alumni network and others in the university’s system.

What happened and why

Based on the content of the email, the attack appears to have been carried out in an effort to shed light on the alleged unfairness of UPenn’s affirmative action and admission policies. According to UPenn’s website, the hackers obtained credentials via a “social engineering” hack – impersonating a high-ranking employee in order to convince lower-level employees to hand over their credentials to this “trusted” individual. They then used the stolen credentials to send an unauthorized email, complete with the university’s official letterhead, before UPenn’s security team was able to lockdown the system.

Here’s what the email read:

“Dear Penn community,

The University of Pennsylvania is a dog****, elitist institution full of woke retards. We have terrible security practices and are completely unmeritocratic. We hire and admit morons because we love legacies, donors, and unqualified affirmative action admits. We love breaking federal laws like FERPA (all your data will be leaked) and Supreme Court rulings like SFFA. Please stop giving us money.

Warm regards,
The University of Pennsylvania”

In addition to breaking into the university’s systems to unconventionally voice their opinions about its admissions processes, the hackers may have also been financially motivated to complete the attack. Not long after the incident, one of the alleged hackers informed a news outlet of their intent to sell some of the donor data they obtained during the breach before releasing it to the public.

What happens now

The extent of the hack is not clear. Although UPenn’s systems have been restored, it continues to work with both law enforcement and other cybersecurity investigative groups in order to discover the depth of the attack and prevent further breaches. The university’s website currently states,

“…the systems we know were accessed include Penn’s Customer Relationship Management (CRM) system (Salesforce), file repositories (SharePoint and Box), a reporting application (Qlikview), as well as Marketing Cloud.”

Info systems related to UPenn’s development and alumni activities were accessed during the incident, and possibly other systems as well. The hackers behind the attack claim to have obtained around 1.2 million credentials of alumni, students, and donors, including data belonging to former President Joe Biden, but the university refused to confirm or deny that number, stating:

“The 1.2 million number has been mischaracterized and overstates the impact. We are still conducting our forensic investigation to determine the exact nature and extent of the information and therefore cannot provide a precise number.”

When the investigation is complete, the University of Pennsylvania will notify any individuals whose data may have been compromised. So far, no date has been given as to when that will be.