Penn reports email breach incident to the FBI, and an alum files a lawsuit
An undetermined number of Penn students and alumni received what school officials called a “fraudulent email” purporting to be from the university's Graduate School of Education.
The University of Pennsylvania is continuing to investigate an email breach that resulted in a crude email being sent to alumni and students last week and has reported the incident to federal authorities.
“We understand and share our community’s concerns and have reported this to the FBI,” a university spokesperson said. “We are working with law enforcement as well as other third-party technical resources to address this as rapidly as possible.”
The incident, the spokesperson added, included the “breach of data of select information systems.”
On Friday, an undetermined number of Penn students and alumni received what school officials called a “fraudulent email” that denigrated the university’s hiring practices and policies and encouraged readers to “stop giving us money.”
The email appeared to come from Penn’s Graduate School of Education.
“We have terrible security practices and are completely unmeritocratic,” the email read, after describing the university using an offensive phrase.
The message to some recipients had a subject line of “We got hacked (Action Required).” In a statement, the school said the email was “obviously a fake” and called its contents “highly offensive.” Information security workers, it added, were “actively addressing” the situation.
On Sunday, cybersecurity news website Bleeping Computer reported that a hacker, who remained anonymous, claimed credit for the email and said they had taken data for a large number of people affiliated with the university.
Authorities have not confirmed whether the incident result in the theft of personal data. The FBI’s Philadelphia office declined to comment, citing the ongoing government shutdown.
A proposed class action lawsuit filed Monday in U.S. Eastern District Court alleges that Penn failed to protect users’ sensitive data and in turn allowed it to fall into “the hands of cybercriminals who will undoubtedly use [the information] for nefarious purposes.”
Filed on behalf of Christopher Kelly, a Penn alumnus in Chicago, the lawsuit claims that there more than 100 potential class members and seeks more than $5,000,000 in damages. Penn, the lawsuit alleges, was negligent in enforcing its security policies and failed to quickly notify those impacted, among other claims.
Kelly received the email Friday and claims that his private information was “acquired by an unauthorized actor” as a result of the breach, according to the filing. The lawsuit adds that “for the rest of his life, [he] will have to worry about when and how” his information may be used.
A Penn spokesperson declined to comment on the lawsuit.
Last month, the school rejected a compact proposed by President Donald Trump’s administration that would have given the school preferential consideration for federal funding in exchange for greater influence over hiring, admissions, and curriculum. A number of other elite universities were also asked to participate.
The school, Penn president J. Larry Jameson said in a statement addressing the decision not to join the compact, is “committed to merit-based achievement and accountability.”