‘We have horrible safety practices’: University of Pennsylvania hackers say they’ve stolen greater than one million information in main cyberattack

• Attacker accessed college methods via compromised SSO and stole information from 1.2 million individuals
• Offensive Mass Email Sent After Ban Using Retained Access to Salesforce Marketing Cloud
• The stolen information consists of PII, monetary and demographic; Attacker targets rich donors, no ransom deliberate

Cybercriminals have claimed duty for the current cyberattack on the University of Pennsylvania, claiming they stole information from roughly 1.2 million college students, alumni and donors.

An nameless menace actor mentioned beepcomputer gained “full access” to a University worker’s PennKey SSO account, which gave them entry to Penn’s VPN, Salesforce information, the Qlik analytics platform, SAP’s enterprise intelligence system, and SharePoint recordsdata.

The stolen data allegedly consists of individuals’s names, dates of start, addresses, telephone numbers, estimated internet price, donation historical past, and demographic particulars (race, faith, sexual orientation, and the like).

Offensive emails

The affirmation got here in response to the University’s claims, which considerably downplayed the severity of the hit.

The information breach seems to have taken place round October 30 and 31, after which the University detected the intrusion and expelled the attacker. The transfer seems to have angered them, as they then used entry to Salesforce Marketing Cloud (which they retained) to ship an offensive e mail to roughly 700,000 recipients.

“The University of Pennsylvania is an elitist establishment stuffed with mentally retarded individuals. We have horrible safety practices and are in no way meritocratic,” the e-mail mentioned.

“We rent and admit morons as a result of we love legacies, donors, and unconditional affirmative motion. We love violating federal legal guidelines like FERPA (all of your information can be leaked) and Supreme Court rulings like SFFA.”

The University of Pennsylvania described the emails as “obviously false” and “fraudulent.”

The attackers then confirmed that they won’t ask for a ransom fee from the University, as they don’t consider the victims would pay anyway. “The principal goal was their monumental and splendidly wealthy database of donors,” they mentioned.

It would appear that they’ll now attempt to goal donors.

Through beepcomputer