The University of Pennsylvania has confirmed that a hacker breached numerous internal systems related to the university's development and alumni activities and stole data in a cyberattack. 

In a new statement, Penn confirmed BleepingComputer's reporting that the hackers breached its systems using compromised credentials, stating they were stolen in a social engineering attack.

"On October 31, Penn discovered that a select group of information systems related to Penn's development and alumni activities had been compromised," reads a new Penn statement.

"Penn employs a robust information security program; however, access to these systems occurred due to a sophisticated identity impersonation commonly known as social engineering."

"Penn's staff rapidly locked down the systems and prevented further unauthorized access; however, not before an offensive and fraudulent email was sent to our community and information was taken by the attacker. Penn is still investigating the nature of the information that was obtained during this time."

The University of Pennsylvania says it has notified the FBI of the breach and is working with CrowdStrike to investigate the security incident.

As first reported by BleepingComputer, the threat actor breached Penn's systems on October 30 using an employee's PennKey SSO account that provided access to the university's Salesforce instance, Qlik analytics platform, SAP business intelligence system, and SharePoint files.

Using this access, the threat actors stole 1.71 GB of internal documents from the university's SharePoint and Box storage platforms, including spreadsheets, documents, financial information, and alumni marketing materials.

The hackers also told BleepingComputer that they stole Penn's Salesforce donor marketing database, containing 1.2 million records with a wide variety of donor information.

A sample of this data includes 158 distinct fields, which contain the following sensitive information:

• Personally Identifiable Information (PII): full name, birthdate, gender, home and mailing addresses, phone numbers, and email addresses.
• Financial and donor data: gift histories, wealth ratings, and lifetime commitment amounts.
• Employment and affiliation details: employer, job title, and academic affiliations.

After discovering their access had been revoked, the hacker said they still had access to Penn's Salesforce Marketing Cloud account and used it to send an offensive mass email to 700,000 recipients.

In a post on a hacking forum, the attackers say they are not currently leaking the data records but may do so in a month or two.

While the hackers claimed the attack wasn't politically motivated and said their goal was Penn's "vast, wonderfully wealthy donor database," both their emails and a post on a hacking forum were laced with sharp criticism of the university's alleged DEI practices, admissions policies, and "love of nepobabies."

The University of Pennsylvania says it is taking steps to increase security on its systems, including employee training on social engineering attacks and enhanced monitoring and security measures.

After the investigation is complete, Penn says it will notify those affected by the data breach.

The university is also warning Penn students and alumni to be wary of suspicious calls or emails that could be phishing attempts or social engineering attacks.