The University of Pennsylvania confirms that a hacker stole data during the cyberattack

The University of Pennsylvania confirmed Tuesday that a hacker stole university data as part of a data breach last week, during which alumni and other affiliates received suspicious emails from the university’s official email addresses.

“We have been hacked,” the hackers’ message read. “We love violating federal laws like FERPA (all your data will be leaked),” the message added. “Please stop giving us money.”

While Penn initially told TechCrunch that the email was “scamming,” the university has now confirmed the hacker’s claim that data was taken during the hack.

“On October 31, Penn discovered that a selection of information systems related to Penn Development and alumni activities had been compromised,” the university wrote in a statement emailed to alumni and shared online. “Penn employees quickly locked down the systems and prevented further unauthorized access; but not before an abusive and fraudulent email was sent to our community and the attacker took control of the information.”

(Disclosure: As an alumna and former university employee, the hackers sent the message to my personal email three times, each coming from a different administrator @upenn.edu Email addresses, including one from a senior Pennsylvania employee.)

The university said the breach occurred due to a social engineering attack, a hacking technique in which individuals are tricked into handing over sensitive information such as login credentials, possibly through phishing or a phone call.

A Penn employee, whom we are not naming because he is not authorized to speak to the press, told TechCrunch that the university requires students, employees, and alumni to use multi-factor authentication (MFA) on their accounts as a security measure; However, the employee said some high-ranking officials were granted exemptions from State Department requirements.

TechCrunch asked Ben about the so-called MFA exemptions, and whether the university could offer a percentage of MFA adoption among employees. Penn spokesman Ron Osio declined to comment to TechCrunch outside of Penn’s official data incident page.

As required by law, Penn said it will contact individuals whose personal information the hackers gained access to. The university did not say when these notifications would occur, how many people were affected, or what information was accessed.

The alleged hacker at Penn State claimed to have obtained documents related to university donors, bank transaction receipts and personally identifiable information, the Daily Pennsylvanian reported. The hackers said they had financial motives.

Earlier this year, hackers breached Columbia University, gaining access to sensitive information about about 870,000 students and applicants, including their Social Security numbers and citizenship status.

The breakthroughs in Pennsylvania and Columbia appear to be motivated by dissatisfaction with affirmative action policies. In the University of Pennsylvania hacker’s email to the university community, the hacker wrote: “We hire and admit fools because we love legacies and donors and recognize unqualified affirmative action.” Meanwhile, a Columbia University hacker told Bloomberg that they sought access to data from the university to investigate affirmative action practices.

If you have more information about the Penn hack, you can contact Amanda Silberling securely on Signal at @amanda.100, or via email, from a non-work device.