The University of Pennsylvania confirmed Tuesday that hackers successfully stole university data during last week's cyberattack, contradicting earlier claims that suspicious emails sent to alumni were merely "fraudulent." The breach, which occurred through a social engineering attack on October 31, exposed sensitive information from development and alumni systems before staff could lock down compromised accounts.
The University of Pennsylvania just admitted what hackers claimed all along - they didn't just send offensive emails, they actually stole university data. The confirmation comes after Penn initially dismissed the October 31 incident as merely "fraudulent" messaging, but internal pressure and evidence forced a more honest reckoning.
The hackers made their breach crystal clear in messages sent to thousands of alumni and affiliates. "We got hacked," the taunting email read, adding "We love breaking federal laws like FERPA (all your data will be leaked). Please stop giving us money." What seemed like juvenile trolling was actually a victory lap after a successful data heist.
Penn's Tuesday statement to the community painted a different picture than their initial response to TechCrunch. "Penn discovered that a select group of information systems related to Penn's development and alumni activities had been compromised," the university finally admitted. "Penn's staff rapidly locked down the systems and prevented further unauthorized access; however, not before an offensive and fraudulent email was sent to our community and information was taken by the attacker."
The breach method reveals concerning security gaps at one of America's most prestigious universities. Penn confirmed the attack succeeded through social engineering - hackers tricked employees into handing over login credentials, likely through sophisticated phishing or phone calls impersonating IT staff.
But here's where it gets more troubling. A Penn employee told TechCrunch that while the university requires multi-factor authentication for most users, "some high-ranking officials were granted exemptions to MFA requirements." When pressed for details about these security exceptions, Penn spokesperson Ron Ozio declined to comment beyond their official incident page.
The scope of stolen data remains murky, but early reports suggest it's extensive. The Daily Pennsylvanian reports the hacker claimed to have accessed donor documents, bank transaction receipts, and personally identifiable information. Penn hasn't revealed how many people are affected or when they'll notify victims, as required by law.
