Hackers Threaten to Leak Data After University of Pennsylvania Email Breach

The University of Pennsylvania (Penn) confirmed on Friday that it is responding to a cybersecurity breach after hackers infiltrated the university's email systems and sent multiple fraudulent messages to alums, students, staff, and affiliates.

The unauthorised emails, which appeared to originate from Penn's Graduate School of Education (GSE), carried provocative and misleading statements criticising the university's internal practices and threatening to leak private data.

“We have terrible security practices and are completely unmeritocratic,” one of the emails read. “We love breaking federal rules like FERPA (all your data will be leaked).”

The messages were distributed using legitimate @upenn.edu email accounts and appeared to come from various university officials, including senior faculty members. Some recipients reported receiving the same email multiple times from different sender addresses, suggesting that numerous compromised accounts were used in the attack.

University spokesperson Ron Ozio confirmed the breach in a statement, saying Penn's incident response team is "actively addressing the situation."

“A fraudulent email has been circulated that appears to come from the University of Pennsylvania’s Graduate School of Education. This is obviously a fake, and nothing in the highly offensive, hurtful message reflects the mission or actions of Penn or of Penn GSE,” Ozio said.

Motives Behind the Attack

The hackers claimed in one message that they intended to discourage alumni donations, writing, "Please stop giving us money." While the full scope of the intrusion remains under investigation, early indications suggest the attack was designed to embarrass the university and disrupt its fundraising activities.

The breach comes shortly after Penn joined six other universities in rejecting the White House's "Compact for Academic Excellence in Higher Education." The compact, part of the current administration's higher education policy initiative, sought to tie federal funding to specific ideological and policy changes within universities.

University Response and Political Context

The compact proposed several controversial measures, including the elimination of affirmative action in hiring and admissions, disciplinary actions against departments that "punish or belittle conservative ideas," tuition freezes for five years, and caps on international student enrollment. It also called for reinstating mandatory standardised tests such as the SAT and restricting support for transgender and gender non-conforming students.

Penn President J. Larry Jameson publicly rejected the proposal in a response published on the university's website.

“One-sided conditions conflict with the viewpoint diversity and freedom of expression that are central to how universities contribute to democracy and to society,” Jameson wrote, emphasizing that the compact “preferences and mandates protections for the communication of conservative thought alone.”

The timing of the cyberattack — just days after Penn's public refusal to sign the White House compact — has raised questions about whether the breach may have been politically motivated.

As of Friday evening, the university's IT department continues to assess the scale of the incident and has advised all users to change their passwords immediately and remain alert for phishing attempts.