Penn says info compromised in data breach has been ‘mischaracterized’

Following a cybersecurity breach at the University of Pennsylvania last month, an anonymous hacker claimed that they had compromised data for some 1.2 million students, donors, and alumni — a figure that the school now says is inaccurate.

“The 1.2 million number has been mischaracterized and overstates the impact,” Penn said on an information page about the incident updated Friday.

The university said that a forensic investigation into the breach remains ongoing and that a “precise number” for the amount of records that were improperly accessed was not yet available.

A timeline of when that investigation would be concluded was not provided, with the school noting that analysis of the breach would “take time to complete.”

“While our investigation is ongoing, we do not currently have evidence to indicate that information involved in this incident has been used for the purposes of fraud,” the university said.

The incident was reported Oct. 31, when students and alumni received what the school called a “fraudulent” email crudely criticizing Penn’s hiring practices. The message, which also called on recipients to stop donating money to the university, appeared to come from Penn’s Graduate School of Education.

“We have terrible security practices and are completely unmeritocratic,” the email said.

Since then, Penn has said that the data breach attack had been contained and that the incident was reported to the FBI.

The breach, the university said, came as a result of “sophisticated identity impersonation commonly known as social engineering,” which is a hacking technique in which “bad actors deceive individuals into giving up confidential information.”

Systems accessed included “Penn’s Customer Relationship Management (CRM) system (Salesforce), file repositories (SharePoint and Box), a reporting application (Qlikview), as well as Marketing Cloud,” the school added.

Electronic medical records from Penn Medicine do not appear to have been accessed in the breach. In its update Friday, the university said that it would notify individuals whose information had been accessed once its analysis of the incident was complete.

The data, according to the Daily Pennsylvanian, Penn’s student newspaper, included memos about donors and their families, receipts of bank transactions, and personal information. The DP said that it reviewed documents released by the alleged hacker on LeakForum and that the perpetrator claimed to have accessed data on 1.2 million Penn students, alumni, and donors.

The Verge, a technology publication, reported that among the items obtained was personal information about former President Joe Biden, whose granddaughter had been a student at Penn. The hacker claiming responsibility for the breach told the outlet that they planned to sell some of the data before releasing it publicly.

Beyond disputing the 1.2 million figure, Penn has not commented on what information was accessed.

Following news of the breach, more than a dozen proposed class-action lawsuits were filed against the university in federal and state courts alleging that Penn failed to secure the personal information of those affected.

The litigation is still in its early stages, and Penn hasn’t yet responded to the allegations in court filings. On Monday, attorneys who filed 10 of the 14 federal lawsuits in the Eastern District of Pennsylvania asked the court to consolidate the cases.

On its information page about the incident, Penn warned school community members to “be wary of suspicious calls or emails that could be phishing attempts,” as well as “any embedded links in emails that you are not familiar with.”

It also advised concerned individuals to take steps such as reviewing their credit reports and activating fraud alerts with major credit bureaus.

“We recognize the severity of this incident and are working diligently to address it,” the university said.

Staff writers Abraham Gutman and Susan Snyder contributed to this article.