Skip to content
Education

Penn’s October data breach impacted fewer than 10 people, despite hackers’ claims it was 1.2 million

"Penn sent notifications to the limited number of individuals whose personal information was impacted as required by applicable notification laws," the school said.

University of Pennsylvania campus in Philadelphia.
University of Pennsylvania campus in Philadelphia.Read moreTom Gralish / Staff Photographer

The data breach that anonymous hackers claimed had compromised data for 1.2 million students, donors, and alumni at the University of Pennsylvania actually impacted fewer than 10 people, according to a legal filing in a proposed class action lawsuit against Penn over the breach.

A Penn source confirmed Tuesday that fewer than 10 people received notifications that their personal information had been affected in the Oct. 31 incident.

“Penn conducted a comprehensive review of the downloaded files to determine whose information may have been involved,” the university said in a statement. “That review is now complete. Penn sent notifications to the limited number of individuals whose personal information was impacted as required by applicable notification laws.”

» READ MORE: Penn says data breach is contained and scope of records accessed is under review

A second data breach weeks later involving Oracle E-Business Suite was much more widespread and affected more than 100 companies. Penn’s notifications to impacted individuals in that incident were more widespread, though the school hasn’t released the number.

In the first case, Penn quickly said it could not verify the hackers’ claim about the number of people whose records were obtained. The incident drew widespread attention because the hackers sent an offensive email, which claimed to be from Penn to alumni and students.

“We have terrible security practices and are completely unmeritocratic,” the email read. “Please stop giving us money.”

» READ MORE: Penn is investigating a ‘fraudulent’ email breach

The school hired cybersecurity specialists to help investigate the breach, which accessed systems related to development and alumni activities. Penn said at the time it was taking steps to prevent future attacks and would be instituting mandatory training.

A series of proposed class-action lawsuits were filed in U.S. Eastern District Court following the hack, alleging that Penn failed to protect users’ sensitive data and in turn allowed it to fall into “the hands of cybercriminals who will undoubtedly use [the information] for nefarious purposes.”

A federal district judge consolidated 18 lawsuits in December into a single proposed class-action case, but eight members of the Penn community who filed lawsuits dropped out in recent weeks.

The exodus of plaintiffs is the result of Penn’s disclosure to attorneys involved with the litigation that fewer than 10 people were impacted by the breach, and none of those who sued were among them, attorneys for the plaintiffs said in a Monday court filing.

The small impact of the breach could be detrimental for the cases if they continue on their own, the attorneys said. They proposed incorporating the remaining cases with the Oracle-breach litigation that is ongoing in Western Texas District Court.

Another faction of attorneys involved in the case disagree.

A judge is expected to decide which attorneys will lead the litigation and coordinate among all the litigants, a decision that could determine whether the case will be heard in Philadelphia or Texas.