The University of Pennsylvania has confirmed that a hacker stole sensitive university data during a recent cyberattack. The breach, first detected on October 31, 2025, resulted in unauthorized access to systems connected to the university’s development and alumni activities.
Initially, the University of Pennsylvania dismissed reports of a hack as “fraudulent.” However, officials later acknowledged that data was indeed taken. In a statement released to alumni and shared publicly, the university explained that staff “rapidly locked down the systems and prevented further unauthorized access; however, not before an offensive and fraudulent email was sent to our community and information was taken by the attacker.”
The University of Pennsylvania Breach and Attack Details
The attackers gained access through a social engineering technique, a method that deceives individuals into revealing their credentials. Once inside, the hackers sent a mass email from official university addresses. The email read: “We got hacked. We love breaking federal laws like FERPA (all your data will be leaked). Please stop giving us money.”
According to reports, the hackers compromised a PennKey single sign-on account, which allowed them access to multiple internal systems, including the university’s VPN, Salesforce databases, SAP systems, and SharePoint files. This access reportedly lasted for nearly two days, from October 30 to October 31, before being detected and contained.
An internal source revealed that the university requires multi-factor authentication (MFA) for students, staff, and alumni accounts as a security measure. However, some senior officials were allegedly granted exemptions from the MFA requirement.
When asked about the MFA exemptions or adoption rates, a university spokesperson declined to comment beyond the official data incident page.
Scope of the Data Theft
While the full scope of the data breach remains unclear, reports suggest that as many as 1.2 million records may have been compromised. The stolen data reportedly includes names, contact details, donation records, estimated net worth, and demographic information such as race, religion, and sexual orientation. The hacker also claimed to have accessed documents related to donor activities and bank transaction receipts.
Although the university is still assessing the damage, officials confirmed that medical systems operated by Penn Medicine were not affected. As required by law, the university will contact individuals whose personal data was compromised, though no timeline has been announced.
Investigation and Legal Fallout
The University of Pennsylvania has reported the incident to the Federal Bureau of Investigation (FBI) and enlisted third-party cybersecurity experts to assist in the investigation. Despite these actions, the university is already facing potential legal consequences. At least one class-action lawsuit has been filed by former students, accusing the university of negligence in protecting personal data.
The hackers’ motivations appear mixed. In the initial message to the university community, the attackers criticized legacy admissions and affirmative action policies, stating, “We hire and admit morons because we love legacies, donors, and unqualified affirmative action admits.” However, further statements from the group indicate their primary motive was financial, aiming to profit from the stolen data rather than make a political statement.