Cyber Incident Victim: University of Pennsylvania

On October 31 2025 a data breach occurred at the University of Pennsylvania’s Graduate School of Education, which the university later confirmed in November involved a select group of information systems related to Penn’s development and alumni activities. At the time of the breach the attackers sent alumni emails announcing the incident from official university addresses, and Penn attributed the intrusion to social engineering tactics. Later in November Harvard University also disclosed a breach of its alumni systems, stating that the attack was a voice phishing campaign that compromised email addresses, phone numbers, home and business addresses, event attendance, donation details and other biographical information tied to fundraising and alumni engagement. On February 4 2026 the hacking group ShinyHunters posted on its forum claiming responsibility for the Penn and Harvard breaches, stating that the data was released because the universities had refused to pay a ransom or cooperate with the group’s demands. The group’s post referenced a recent court filing that described the October 31 2025 incident as impacting fewer than ten individuals, yet ShinyHunters asserted that the breach affected approximately 1.2 million records. The hackers said they had kept the data private for a short period before planning to release it publicly within one to two months after using it, and later told The Verge they intended to sell the data before any public release.

The leaked material published by ShinyHunters included private documents not seen in the initial breach, such as university donor records, internal talking points and a November 2023 progress report from the University Antisemitism Action Plan. The dataset also contained personal information of several high‑profile individuals, notably a 1968 Wharton graduate who is President Donald Trump and members of his family, with internal Penn labels identifying multiple Trump relatives as “Confirmed Ultra High Net Worth” individuals. In addition to the data release, eighteen Penn graduates filed class‑action lawsuits against the university over the breach, and those filings were later consolidated by a district judge. A university spokesperson told both The Daily Pennsylvanian and TechCrunch that Penn was analyzing the leaked data and would notify any affected individuals as required by applicable privacy regulations, adding that the institution had completed a comprehensive review of the incident and had already notified those deemed impacted. TechCrunch verified a portion of the published dataset by matching entries with alumni records and public sources such as student ID numbers, confirming that the information aligned with the type of data both universities had described as stolen. Throughout the episode ShinyHunters asserted that the release was motivated by the universities’ refusal to pay a ransom, and during the Penn breach the attackers included language in their alumni emails expressing discontent with affirmative action policies, although the group is not known to have political motivations and did not explain the inclusion of that phrasing.