A hacker has claimed responsibility for the recent offensive emails sent from University of Pennsylvania accounts, revealing the incident was part of a much larger data breach. While the university initially dismissed the mass email as “fraudulent,” the attacker alleges they stole sensitive records belonging to 1.2 million students, alumni, and donors.

Scope of the Breach and Stolen Data

The threat actor claims they gained extensive access by compromising a single employee’s PennKey single sign-on (SSO) account. This allegedly provided a gateway to numerous internal systems, including the university’s VPN, Salesforce, SAP business intelligence platform, and SharePoint. Using this access, the hacker claims to have exfiltrated a vast trove of data. The stolen information reportedly includes names, birth dates, addresses, phone numbers, donation histories, estimated net worth, and sensitive demographic details like race and religion. As proof, the attacker released a 1.7 GB archive of internal documents and shared data samples with journalists.

Hacker’s Motive and University Response

According to the hacker, the primary motivation was not extortion but the acquisition of Penn’s “vast, wonderfully wealthy donor database.” After the university revoked their main access, the attacker used their remaining access to Salesforce Marketing Cloud to send the offensive emails to approximately 700,000 recipients. In response to these escalating claims, the University of Pennsylvania has now referred the security incident to the FBI and is working with law enforcement. Donors and alumni are warned to be vigilant against targeted phishing or social engineering attempts that may use this stolen information to solicit fraudulent donations.