The incident began last Friday when University of Pennsylvania alumni and students started receiving multiple offensive emails sent from Penn.edu addresses. These emails falsely claimed the university had been hacked and data stolen, using strong, derogatory language to criticize the institution. While the university quickly downplayed the incident, calling the messages “fraudulent emails” and “obviously fake,” confirmed the emails originated from the connect.upenn.edu mailing list platform, which is hosted on Salesforce Marketing Cloud. This raised initial concerns about the security of Penn’s mailing systems.
The hacker claimed their group had achieved full access to an employee’s PennKey SSO account. This access reportedly allowed them to breach multiple core university systems, including Penn’s VPN, Salesforce data, Qlik analytics platform, SAP business intelligence system, and SharePoint files. The attacker stated they executed the breach on October 30th and completed data downloads before the compromised employee account was locked on October 31st.
The hacker further claimed to have exfiltrated data for an estimated 1.2 million students, alumni, and donors. This vast amount of stolen information allegedly includes sensitive details such as names, dates of birth, addresses, phone numbers, estimated net worth, and donation history. Alarmingly, the data also reportedly contained demographic details like religion, race, and sexual orientation. To support their claims of deep access and data theft, the threat actors shared screenshots and data samples and posted them online.
The attacker revealed that after their PennKey access was revoked, they still retained control over the Salesforce Marketing Cloud. They leveraged this continued access to send the widely circulated, offensive mass email to approximately 700,000 recipients. Regarding their motivation, the hackers clarified that the attack was primarily aimed at obtaining Penn’s donor database, a “vast, wonderfully wealthy” resource. They also expressed general disdain for “nepobaby-serving institutions” but denied having a political motive or attempting to extort the university, stating they could extract value from the data themselves.
In the wake of these severe claims, which included the subsequent publication of a 1.7-GB archive of files allegedly taken from Penn’s SharePoint and Box systems, the University of Pennsylvania offered a brief statement.
Reference:
