University of Pennsylvania Confirms October Data Breach Impacted Fewer Than Ten Individuals
The University of Pennsylvania has concluded its forensic investigation into a cybersecurity incident detected in October, revealing a massive discrepancy between the claims made by threat actors and the actual scope of the breach. While cybercriminals initially alleged they had stolen the sensitive personal data of approximately 1.2 million students, alumni, and donors, the university’s final review determined that fewer than 10 individuals were effectively impacted.
The incident began in late October when the university identified unauthorized access to its network infrastructure. Shortly after the intrusion was detected, a threat actor claimed responsibility on various cybercrime forums, asserting possession of a vast database containing names, Social Security numbers, and financial details. To further amplify their extortion attempts, the attackers utilized the compromised system to send offensive emails to a large distribution list, boasting of the alleged data theft. These actions appeared designed to damage the institution’s reputation and pressure officials into meeting ransom demands.
However, the university’s internal investigation contradicts the hackers’ narrative of a widespread compromise. Officials verified that while the attackers did gain access to certain systems—including Salesforce and SharePoint platforms—via stolen credentials obtained through social engineering, the actual exfiltration of private data was minimal. The university has characterized the hackers’ claims as significantly overstated and mischaracterized.
Following the conclusion of the review, Penn has moved to notify the small number of individuals whose personal information was confirmed to be accessed, in accordance with federal and state privacy laws. This event highlights a common tactic in modern cyber warfare, where attackers exaggerate the success of a breach to manufacture leverage, regardless of the actual data obtained. The university has since stated that it has implemented additional security measures to prevent similar social engineering attacks in the future.
inquirer.com
thedp.com
techradar.com
govtech.com
