Here’s some more University of Penn stuff

Corrected title.

I don’t know if this was covered, but as I looed at the date while writing this paragraph, it looks like it was written today.

We recently blogged about Pen State and a Potential Hack.

Now, it seems like a hacker group or actor has come out and taken responsibility for it. From what we know, the article states that the actor or actor group took 1.2 million people’s info including the usual which is name, address, phone, etc.

While this article repeats the message that was sent to people, it seems as though the actor came out through Bleeping Computer. I guess they wanted the PR?

The hacker said their group “gained full access” to an employee’s PennKey SSO account, allowing access to Penn’s VPN, Salesforce data, Qlik analytics platform, SAP business intelligence system, and SharePoint files.

That’s a lot of systems to be downplaying a lot of data, Pen State! Please come clean and don’t do that fucking shit. You’re not going to get good PR for that crap, especially from someone who knows how to do the best job they can and not have many issues, especially with pilfering data. As far as I know, nobody has pilfered anything from me.

Here’ more.

They said they exfiltrated data for roughly 1.2 million students, alumni, and donors, including names, dates of birth, addresses, phone numbers, estimated net worth, donation history, and demographic details such as religion, race, and sexual orientation.

The threat actors shared screenshots and data samples with BleepingComputer and posted them online to prove that they had indeed accessed these systems and stolen data from Penn.

The attackers told BleepingComputer they breached Penn’s systems on October 30th and completed data downloads by October 31st, when the compromised employee account was locked and access lost.

After discovering their access had been revoked, the hacker said they still had access to Salesforce Marketing Cloud and used it to send the offensive mass email to roughly 700,000 recipients.

When asked whether the credentials were stolen via an infostealer or phishing, the hacker declined to elaborate, saying the intrusion was simple and caused by Penn’s security lapses.

The whole goal, says the article, was to get at those who donate to the school and nothing else. But Pen State is like any of the other schools who say they take security seriously until something like this happens and they have no idea.

It took the actors a complete day to get 1.7gb of data pilfered from the network.

Read this update we found today by reading the article Penn hacker claims to have stolen 1.2 million donor records in data breach and make it great day!