Major Penn Data Breach: What Donors and Alumni Need to Know
The University of Pennsylvania has disclosed a significant data security incident that exposed the personal information of approximately 1.2 million donors, alumni, and other individuals connected to the university. The breach originated not within the university’s own systems, but through a vulnerability in the software of a major third-party vendor, highlighting the growing risk of supply chain cyberattacks.
If you have a relationship with Penn’s fundraising or alumni relations departments, this breach may have impacted your personal data. Here’s a detailed breakdown of what happened and the critical steps you should take to protect yourself.
A Closer Look at the Breach
The breach occurred within the university’s Development and Alumni Relations (DAR) division, which manages fundraising and engagement with the school’s supporters. An unauthorized actor exploited a security flaw in a platform called “NetCommunity,” which is provided by Blackbaud, a leading software supplier for non-profits, foundations, and educational institutions worldwide.
According to reports, the cybercriminal was able to access and copy a subset of the university’s data. While the attack took place earlier in the year, Blackbaud discovered the intrusion in May 2020 and began notifying its clients, including the University of Pennsylvania, in July.
The Blackbaud Connection: A Widespread Ransomware Attack
This incident was not isolated to the University of Pennsylvania. Blackbaud was the target of a massive ransomware attack that affected hundreds of its clients across the globe. The company admitted to paying the cybercriminal’s ransom demand in exchange for a promise that the stolen data would be destroyed.
While Blackbaud received confirmation that the data was deleted, security experts universally warn that there is no way to guarantee a criminal actor has honored such an agreement. The stolen information could still be sold, leaked, or used for malicious purposes in the future.
What Donor Information Was Exposed?
The compromised files contained a wealth of personal information that could be valuable to scammers and identity thieves. While each individual’s record may differ, the exposed data could include:
- Full Names
- Contact Information (addresses, phone numbers, email addresses)
- Demographic Data
- A History of Donations and Engagement with the university
Fortunately, it has been reported that more sensitive information such as credit card details, bank account information, and Social Security numbers were not compromised in this specific incident. However, the stolen personal data is more than enough to facilitate sophisticated phishing attacks and other fraudulent schemes.
Actionable Steps to Protect Your Information
Even if you only donated a small amount or haven’t been in contact with the university for years, it is crucial to act now. Cybercriminals often use data from one breach to attempt to access other, more sensitive accounts.
Be on High Alert for Phishing Scams: This is the most immediate threat. Scammers may use the stolen information to craft highly convincing emails, text messages, or phone calls. Be suspicious of any unsolicited communication that claims to be from the University of Pennsylvania or any other organization you support. Never click on suspicious links or provide personal information in response to an email.
Verify All Communications: If you receive a communication asking for information or money, independently verify it. Find the organization’s official phone number or website and contact them directly. Do not use the contact information provided in the suspicious message.
Strengthen Your Passwords: While passwords were not directly part of this breach, it’s a critical security practice. Ensure you are using unique, complex passwords for all your online accounts, especially for financial and email services. Consider using a reputable password manager.
Monitor Your Financial Accounts: Regularly review your bank and credit card statements for any unusual or unauthorized activity. Report any suspicious transactions to your financial institution immediately.
This breach serves as a stark reminder that our data is only as secure as the weakest link in the chain. As organizations increasingly rely on third-party vendors, the responsibility for vigilance falls on both the institution and the individual. Stay informed, remain skeptical of unsolicited requests, and take proactive steps to secure your digital life.
Source: https://www.bleepingcomputer.com/news/security/university-of-pennsylvania-hacker-claims-1.2-million-donor-data-breach/
