The University of Pennsylvania confirmed Tuesday that a hacker stole university data as part of last week’s data breach in which alumni and other associates received suspicious emails from official university email addresses.
“We’ve been hacked,” the hackers’ message read. “We love breaking federal laws like FERPA (all your data will be leaked),” the message added. “Stop giving us money.”
While Penn initially told TechCrunch that the email was a “hoax,” the university has now confirmed the hacker’s claim that data was obtained during the breach.
“On Oct. 31, Penn discovered that a select group of information systems related to Penn’s alumni development and activities had been compromised,” the university wrote in a statement, which was emailed to alumni and shared online. “Penn staff quickly locked down the systems and prevented further unauthorized access, however, not before an offensive and fraudulent email was sent to our community and the information was obtained by the attacker.”
(Disclosure: As a graduate student and former university employee, the hackers sent the message to my personal email three times, each time from a different official @upenn.edu email addresses, including one from a senior Penn official.)
The university said the breach occurred due to a social engineering attack, a hacking technique in which people are tricked into handing over sensitive information such as login credentials, perhaps through phishing or a phone call.
A Penn employee, who we are not naming because he was not authorized to speak to the press, told TechCrunch that the university requires students, staff and alumni to use multi-factor authentication (MFA) on their accounts as a security measure. However, the official said some high-ranking officials were granted exemptions from MFA requirements.
TechCrunch asked Penn about these supposed MFA exemptions and whether the university could provide an MFA adoption rate among staff. Penn spokesman Ron Ozio declined to comment to TechCrunch beyond Penn’s official data events page.
As required by law, Penn said it will contact people whose personal information was accessed by hackers. The university has not said when those notifications will be made, how many people are affected or what information was accessed.
The Daily Pennsylvanian reports that the alleged Penn hacker claimed to have obtained documents related to university donors, bank statements and personally identifiable information. The hacker said they were financially motivated.
Earlier this year, hackers breached Columbia University, gaining access to sensitive information about the surrounding area 870,000 students and candidatesincluding social security numbers and citizenship status.
Both the Penn and Columbia invasions appear to have been motivated by dissatisfaction with affirmative action policies. In the email the Penn hacker sent to the university community, the hacker wrote, “We hire and admit idiots because we love legacies, donors, and inappropriate affirmative action.” Meanwhile, the Columbia hacker he told Bloomberg that they sought to access data from the university to investigate its affirmative action practices.
If you have more information about the Penn hack, you can contact Amanda Silberling securely on Signal at @amanda.100 or via email, from a non-working device.
