The University of Pennsylvania has disclosed a data breach after a threat actor gained access to personal information belonging to students, alumni, staff, and community affiliates.
The breach surfaced after an apparently politically motivated hacktivist circulated a charged email using official UPenn addresses, threatening to leak the stolen information.
“We have terrible security practices and are completely unmeritocratic,” they fumed. “We love breaking federal rules like FERPA (all your data will be leaked) and Supreme Court rulings like SFFA.”
The cyber attack occurred hot on the heels of similar data breaches affecting Columbia University and New York University amid ongoing political and legal battles with the Trump administration.
Data breach at the University of Pennsylvania leaks personal information
The apparently partially politically motivated attacker claimed to have exfiltrated over 1.2 million records of personal information, some of which dates back decades and included banking information. However, no medical information was accessed during the cyber attack, according to the university’s current assessment.
“The claims that 1.2 million donor, alumni and student records may have been exfiltrated at Penn including access via a compromised SSO account, VPN, SharePoint, Salesforce, SAP and BI systems highlight the highly leveraged value of non financial, crowd sourced datasets,” stated Ensar Seker, CISO at SOCRadar. “What’s alarming here is the attack vector: the hacker asserts that rather than immediately demanding ransom, the aim was pure information theft and monetization of donor insights.”
“If this breach is genuine as claimed, the impact extends beyond identity theft. Data sets linking net worth, donation history and demographic details (race, religion, sexual orientation) are highly tailored and valuable to adversaries launching social engineering, targeted phishing or credential stuffing campaigns,” added Seker.
The hacktivist accused UPenn of having abhorrent security practices and ignoring meritocracy in its admission process to prioritize “woke” applicants. They also alleged that UPenn overlooks meritocracy because it loves “legacies, donors and unqualified affirmative action admits.”
The University of Pennsylvania and other Ivy League institutions, including Harvard, are embroiled in a legal and political tussle with the Trump administration over allegations of political partisanship that prioritizes progressive causes, which conflict with the President’s “America First” agenda.
Some Ivy League institutions have been accused of failing to curb Antisemitism on their campuses, resulting in federal funding freezes, which they have challenged in federal courts.
In May, the Trump administration canceled $100 million in federal contracts with Harvard after withholding $2.2 billion in federal grants due to the Ivy League institution’s alleged refusal to address Antisemitism. The U.S. General Services Administration also requested that federal agencies list all contracts with Harvard and find alternative vendors.
Investigation in progress for data breach
Meanwhile, the University of Pennsylvania says it was investigating the data breach with the assistance of experienced external cybersecurity experts and has notified the Federal Bureau of Investigation. It also took the affected portal offline and informed individuals who received the hacktivist’s emails that the message was fraudulent.
“Penn’s staff rapidly locked down the systems and prevented further unauthorized access; however, not before an offensive and fraudulent email was sent to our community and information was taken by the attacker. Penn is still investigating the nature of the information that was obtained during this time,” it stated.
The university also states that it was identifying individuals whose personal details were leaked and will notify them accordingly. Nonetheless, UPenn is facing a class action lawsuit for allegedly failing to stop the data breach despite having a multi-billion-dollar budget.
While the identity of the threat actor remains unknown, the university has disclosed that stolen credentials were used to breach its Penn’s development and alumni portal, underscoring the need for phishing-resistant multi-factor authentication.
“This incident highlights the double-edged nature of single sign-on (SSO),” stated Darren James, a Senior Product Manager at Specops Software. “It is an effective way to simplify access and strengthen security through centralized monitoring and MFA, but if compromised, it can act like a master key and provide access to multiple connected systems at once. In this case, the access spanning Salesforce, Qlik, SAP, and SharePoint is unusual and raises questions about how role-based access controls were managed.”
Meanwhile, New York University and Columbia have suffered similar data breaches in the past. In July, a sophisticated political hacktivist breached Columbia University to expose the Ivy League institution for its alleged race-based hiring and admission in violation of the Supreme Court ruling on affirmative action. The data breach exposed the recently elected New York City Mayor Zohran Mamdani’s college application, in which he identified as Black and Asian.
The cyber attack also locked out students and staff from their email accounts and educational software. In addition, a smiling picture of President Donald Trump was displayed on some screens, highlighting the political nature of the data breach.
In March, New York University also suffered a data breach after a hacktivist breached the elite institution to expose alleged race-based admissions. NYU says it complies with all federal regulations.
Nevertheless, the NYU data breach leaked Social Security Numbers (SSNs), citizenship documents, university-issued ID numbers, application decisions, employee salaries, and other sensitive personal details.

