What Happened
In late October 2025, the University of Pennsylvania (upenn.edu) suffered a data breach when the cybercrime group ShinyHunters used social engineering to steal credentials, accessing systems like Salesforce CRM, SharePoint, Box, Qlikview, and Marketing Cloud related to alumni and donor activities, leading to the exfiltration of sensitive data including names, birth dates, addresses, phone numbers, net worth estimates, donation history, demographics, internal memos, and bank records—hackers claimed 1.2 million records on students, alumni, and donors, though Penn later stated in February 2026 court filings that fewer than 10 individuals were impacted and notifications were sent accordingly. The incident surfaced publicly on October 31, 2025, via offensive spam emails sent from university addresses criticizing admissions practices and security; ShinyHunters demanded a $1 million ransom, which went unpaid, prompting data leaks on forums like LeakForum starting November 1, 2025, and full publication on their site by February 4, 2026. Penn contained the breach swiftly with help from CrowdStrike and the FBI, confirmed no medical records were affected, implemented training, and faced class-action lawsuits alleging negligence, though one was dismissed.
