University of Pennsylvania Data Breach Reportedly Affects 1.2 Million People

A recent data breach at the University of Pennsylvania has exposed sensitive information belonging to approximately 1.2 million individuals, including students, alumni and donors. The incident came to light on Oct. 31, 2025, after the university detected unauthorized access to internal systems and a series of offensive emails sent from an official Penn email addresses.

According to reporting by BleepingComputer, the breach began when threat actors gained full access to an employee’s PennKey single sign-on account. This access enabled them to infiltrate multiple university systems, including the VPN, Salesforce data, Qlik analytics platform, SAP business intelligence system and SharePoint files.

The attackers claimed to have exfiltrated data for roughly 1.2 million people, including names, dates of birth, addresses, phone numbers, estimated net worth, donation history and demographic details such as race, religion and sexual orientation. So far, the number of impacted individuals includes 11,455 residents in Texas, 6,413 in Washington, and 1,488 in Maine.

The cybercriminals released a 1.7 GB cache of internal files allegedly taken from Penn’s SharePoint and Box systems and used their access to the Salesforce Marketing Cloud to send offensive mass emails to about 700,000 recipients. They said they were after the university’s donor database, not ransom, and framed the breach as a financially driven effort focused on exploiting wealth and donor information rather than any political agenda.

The University of Pennsylvania published a cybersecurity incident notice on its website, began notifying impacted individuals by mail, and disclosed the breach to the Attorney Generals' offices in Maine, California, Massachusetts, Texas, Vermont and Washington beginning on December 1, 2025.

University of Pennsylvania's response

In response to the breach, the University of Pennsylvania has initiated an internal investigation and notified law enforcement, including the FBI. The university is working with third-party technical experts to assess the scope of the breach and secure affected systems. Penn has confirmed that all impacted systems have been secured and restored.

They have acknowledged the incident publicly and are providing updates to the community as the investigation progresses. The university has stated it once the investigation and review is completed, that impacted individuals will be notified.

Given the nature of the information exposed, individuals associated with Penn, especially donors, alumni and students, should remain vigilant against targeted phishing or social engineering attempts. Attackers may use the stolen information to impersonate the university, solicit fraudulent donations or attempt to access online accounts.

Anyone receiving unexpected messages about donations or account activity should verify the legitimacy of such communications directly with the university before responding. It is also advisable to monitor financial accounts and consider updating passwords for any accounts that may use similar credentials to those associated with Penn.