Penn Hacker Claims to Have Stolen 1.2 Million Donor Records in Data Breach

Estimated reading time: 7 minutes

  • A hacker claims to have stolen data on 1.2 million Penn donors.
  • The breach highlights the importance of robust security measures.
  • Organizations should enhance monitoring and review access controls.
  • Cyber threat intelligence platforms play a crucial role in proactive defense.
  • PurpleOps offers services to help organizations protect against data breaches.

Table of Contents:

Details of the Penn Data Breach

A recent cybersecurity incident at the University of Pennsylvania (Penn) has brought to light the vulnerability of large organizations to data breaches. A hacker has claimed responsibility for the “We got hacked” email incident that impacted Penn, asserting that the breach was far more extensive than initially acknowledged, exposing data on 1.2 million donors and internal documents. This incident serves as a reminder of the importance of robust security measures and the potential impact of breach detection failures.

On a Friday, University of Pennsylvania alumni and students received multiple offensive emails from Penn.edu addresses, with the messages claiming the university had been hacked and data stolen. While the university initially downplayed the incident, describing the messages as “fraudulent emails,” the threat actor behind the attack contacted BleepingComputer, claiming the intrusion was far broader and that they had gained access to multiple university systems.

The hacker stated that their group “gained full access” to an employee’s PennKey SSO account, which provided access to Penn’s VPN, Salesforce data, Qlik analytics platform, SAP business intelligence system, and SharePoint files. The hacker claimed to have exfiltrated data for roughly 1.2 million students, alumni, and donors, including names, dates of birth, addresses, phone numbers, estimated net worth, donation history, and demographic details such as religion, race, and sexual orientation. Screenshots and data samples were shared to prove access to these systems and the theft of data.

Hacker claiming access to stolen Penn donor data

According to the hacker, Penn’s systems were breached on October 30th, and data downloads were completed by October 31st, when the compromised employee account was locked. Following the revocation of access, the hacker utilized Salesforce Marketing Cloud to send the offensive mass email to approximately 700,000 recipients.

The hacker declined to elaborate on the method used to steal credentials, stating only that the intrusion was simple and caused by Penn’s security lapses. Subsequently, a 1.7-GB archive containing spreadsheets, donation materials, and other files allegedly taken from Penn’s SharePoint and Box systems was published.

The attacker stated that the motivation was not political but aimed at obtaining Penn’s donor database. While the donor database has not yet been leaked, the threat actors claim they may release it in a month or two.

In response to these claims, the University of Pennsylvania stated that they are continuing to investigate.

Potential Impact and Actionable Advice

The exposure of donor data can have significant consequences, including the risk of targeted phishing or social engineering attempts. Attackers could use the stolen information to impersonate the university, solicit fraudulent donations, or gain access to donor credentials to breach their online accounts.

For technical readers:

  • Enhance monitoring and alerting: Implement or improve existing systems for brand leak alerting, focusing on sensitive data related to donors and financial information. Monitor internal systems for unusual data exfiltration activities.
  • Review access controls: Conduct a thorough review of access control policies and practices. Ensure that the principle of least privilege is enforced, limiting employee access to only the data and systems necessary for their roles. Pay special attention to accounts with SSO access, which can provide broad access to multiple systems.
  • Strengthen endpoint security: Implement or enhance endpoint detection and response (EDR) solutions to detect and prevent malware infections and unauthorized access attempts.
  • Improve security awareness training: Conduct regular security awareness training for employees and students, emphasizing the importance of recognizing and reporting phishing attempts and other social engineering tactics.
  • Implement multi-factor authentication (MFA): Enforce multi-factor authentication for all critical systems and applications, including VPNs, email, and financial systems.

For non-technical readers:

  • Stay vigilant against phishing: Be cautious of any unsolicited emails or phone calls asking for personal or financial information. Verify the legitimacy of any request by contacting the university directly through official channels.
  • Monitor your accounts: Regularly monitor your bank and credit card statements for any unauthorized transactions. Report any suspicious activity to your financial institution immediately.
  • Change your passwords: If you are a Penn donor or affiliate, consider changing your passwords for all online accounts, especially those that use the same username and password as your PennKey account.
  • Be skeptical of donation requests: Be wary of any donation requests that seem unusual or suspicious. Always verify the legitimacy of the request by contacting the university directly through official channels.

The Role of Threat Intelligence Platforms

Incidents like the Penn data breach highlight the critical role of cyber threat intelligence platforms in proactive cybersecurity defense. By aggregating and analyzing data from various sources, including the dark web monitoring service, underground forums, and other threat intelligence feeds, organizations can gain valuable insights into potential threats and vulnerabilities.

A comprehensive cyber threat intelligence platform can provide:

  • Real-time ransomware intelligence: Information about emerging ransomware threats, including indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used by ransomware actors.
  • Supply-chain risk monitoring: Identification of potential risks associated with third-party vendors and suppliers, including security vulnerabilities and data breaches.
  • Underground forum intelligence: Monitoring of underground forums and marketplaces for discussions about data breaches, stolen credentials, and other cybercrime activities.
  • Telegram threat monitoring: Monitoring of Telegram channels and groups for discussions about cyber threats, malware, and hacking tools.
  • Live ransomware API: Access to real-time data on ransomware incidents, including victim information, ransom demands, and payment status.

By leveraging these capabilities, organizations can improve their ability to detect and respond to cyber threats before they cause significant damage.

Supply Chain Vulnerabilities and Third-Party Risks

The Penn data breach underscores the importance of supply-chain risk monitoring and managing third-party risks. The fact that the hacker gained access through an employee’s PennKey SSO account highlights the need for organizations to carefully vet and monitor their vendors and suppliers, ensuring that they have adequate security measures in place to protect sensitive data.

Organizations should:

  • Conduct regular security assessments: Perform regular security assessments of their vendors and suppliers to identify potential vulnerabilities.
  • Implement contractual requirements: Include security requirements in contracts with vendors and suppliers, specifying the security measures they must implement to protect sensitive data.
  • Monitor vendor security posture: Continuously monitor the security posture of their vendors and suppliers, tracking security incidents, vulnerabilities, and other security-related events.

Connection to PurpleOps Services

PurpleOps offers a comprehensive suite of cybersecurity services that can help organizations prevent, detect, and respond to data breaches like the one experienced by the University of Pennsylvania. Our services include:

  • Cyber Threat Intelligence: PurpleOps provides actionable threat intelligence to help organizations understand their threat landscape and prioritize their security efforts. Our cyber threat intelligence platform aggregates and analyzes data from various sources, including the dark web, underground forums, and other threat intelligence feeds, providing valuable insights into potential threats and vulnerabilities.
  • Dark Web Monitoring: PurpleOps monitors the dark web for compromised credentials, sensitive data, and other information that could be used to target your organization.
  • Breach Detection: PurpleOps helps organizations detect and respond to data breaches quickly and effectively. Our breach detection solutions use advanced analytics and machine learning to identify suspicious activity and alert security teams to potential incidents.
  • Supply Chain Information Security: PurpleOps provides comprehensive supply chain risk management services to help organizations identify and mitigate risks associated with their third-party vendors and suppliers. Our services include vendor security assessments, contract reviews, and continuous security monitoring.
  • Red Team Operations: To proactively identify vulnerabilities, PurpleOps offers Red Team Operations services, which simulate real-world attacks to test an organization’s defenses.
  • Penetration Testing: PurpleOps also provides Penetration Testing services to assess the security of specific systems and applications.
  • Underground Forum Intelligence: PurpleOps’s platform monitors underground forums to identify discussions about potential threats targeting your organization.
  • Brand Leak Alerting: PurpleOps provides brand leak alerting services to help organizations identify and respond to unauthorized disclosures of sensitive information.
  • Protect Ransomware: PurpleOps offers services designed to protect against ransomware attacks, including proactive monitoring, threat intelligence, and incident response.

This incident illustrates the potential damage from a data breach and the importance of proactive and comprehensive cybersecurity measures. From establishing brand leak alerting and telegram threat monitoring, to utilizing a cyber threat intelligence platform, organizations can significantly improve their security posture.

To learn more about how PurpleOps can help your organization protect against data breaches and other cyber threats, please explore our platform and services or contact us for more information.

FAQ

Q: What is a data breach?

A: A data breach is a security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so.

Q: What can I do to protect myself from phishing attacks?

A: Be cautious of unsolicited emails or phone calls asking for personal or financial information. Verify the legitimacy of any request by contacting the organization directly through official channels.

Q: How can a cyber threat intelligence platform help?

A: A cyber threat intelligence platform aggregates and analyzes data from various sources to provide insights into potential threats and vulnerabilities, enabling organizations to proactively defend against cyberattacks.