The IT Nerd

Cybercriminals have claimed responsibility for the recent cyberattack on the University of Pennsylvania and the stealing of data on approximately 1.2 million students, alumni, and donors. Here are the details:

Penn has reported last week’s mass cybersecurity breach to the Federal Bureau of Investigation following reports that the hack compromised data for millions of individuals. 

The breach resulted in mass scam emails sent on Oct. 31 from multiple University-affiliated email addresses that were addressed to the Penn community and contained criticisms of the University’s security practices and institutional purpose. A University spokesperson wrote to The Daily Pennsylvanian that the matter has been referred to law enforcement and the FBI as Penn investigates a “breach of data of select information systems.”

In the initial emails, the hacker appeared to threaten to release user data, writing that “all your data will be leaked.”

“We understand and share our community’s concerns and have reported this to the FBI. We are working with law enforcement as well as other third-party technical resources to address this as rapidly as possible,” the spokesperson added. 

And according to Bleeping Computer, this is how the threat actors got in:

However, the threat actor behind the attack contacted BleepingComputer, claiming the intrusion was far broader and that they had gained access to multiple university systems.

The hacker said their group “gained full access” to an employee’s PennKey SSO account, allowing access to Penn’s VPN, Salesforce data, Qlik analytics platform, SAP business intelligence system, and SharePoint files.

I have a lot of commentary on this. Staring with Darren James, a Senior Product Manager at Specops Software:

“This incident highlights the double-edged nature of single sign-on (SSO). It is an effective way to simplify access and strengthen security through centralized monitoring and MFA, but if compromised, it can act like a master key and provide access to multiple connected systems at once.

In this case, the access spanning Salesforce, Qlik, SAP, and SharePoint is unusual and raises questions about how role-based access controls were managed. Even if this level of access was legitimate for the user involved, it reinforces the importance of strict privilege management and continuous identity monitoring.

The attacker’s behavior, including sending offensive mass emails, does not appear to align with professional or highly organized cybercrime groups. However, the volume and sensitivity of the data reportedly accessed makes the breach significant.

PennKey authentication appears to rely on a username and password followed by a DUO push prompt. That raises several important questions: Was the password reused or previously compromised? Was MFA configured properly, including fatigue protections? Was the second factor bypassed through social engineering, or could a stolen session token be responsible?

Modern identity security needs to go beyond MFA alone. Controls like device pinning and posture checks, which ensure credentials can only be used from trusted and compliant devices, would significantly reduce the likelihood of this type of intrusion.”

Ensar Seker, CISO at SOCRadar follows with this:

“The claims that 1.2 million donor, alumni and student records may have been exfiltrated at Penn including access via a compromised SSO account, VPN, SharePoint, Salesforce, SAP and BI systems highlight the highly leveraged value of non‑financial, crowd‑sourced datasets. What’s alarming here is the attack vector: the hacker asserts that rather than immediately demanding ransom, the aim was pure information theft and monetization of donor insights. 

If this breach is genuine as claimed, the impact extends beyond identity theft. Data sets linking net worth, donation history and demographic details (race, religion, sexual orientation) are highly tailored and valuable to adversaries launching social engineering, targeted phishing or credential stuffing campaigns. The fact that the initial indicators emerged as a provocative “we got hacked” mass‑email adds urgency: it wasn’t just a stealthy breach, it was weaponized for reputation and donor confidence.

In terms of dark‑web indicators, our dark web team is monitoring underground forums for early exposure of “appetizer” leak data and dataset advertisements associated with the incident. While we have not yet seen full confirmation of a wide‑scale public dump, the presence of credential sets tied to the institution suggests the attack may already be staging towards commercialization.

For organizations in the education or non‑profit sectors, the message is clear: privileged access to major donor platforms, CRM systems, marketing cloud tools and analytics portals must be treated with the same level of monitoring and segmentation as financial systems. A compromised user session in an SSO environment has proven more than enough to cascade into high‑value data loss.”

Paul Bischoff, Consumer Privacy Advocate at Comparitech adds this: 

“None of the breached data poses a direct threat to victims or their finances. There are no passwords or Social Security numbers, for example. However, the info could be used to craft more convincing phishing messages that are tailored to the recipient. Be on the lookout for phishing messages from scammers posing as UPenn or a related organization. Never click on links or attachments in unsolicited emails.”

Finally, Chris Hauk, Consumer Privacy Champion at Pixel Privacy had this to say:

“Victims of the hack should keep an eye out for phishing emails, texts, and phone calls that may attempt to use the gleaned information to obtain additional data about the users. They should particularly be on the alert for emails appearing to come from the University of Pennsylvania.

Victims should also change any passwords that they have used for accounts that are connected to the university. They should also use a password manager to create unique and secure passwords for not only possibly targeted accounts, but for all of their accounts. Most popular password managers will check login credentials for each account, warning of duplicated passwords. Users should also enable multi-factor authentication on all of their accounts, not just their affected accounts. This will help guard against wide exposure in future data breaches.”

This is one of these hacks that will have downstream effects for years. Which is why the best defense is going to be to do everything possible to make sure that a hack like this never happens.