The University of Pennsylvania has had a tough time recovering from a large and embarrassing breach that took place last fall.

For one thing, the hackers obtained access to the personal records of more than 1.2 million students, alumni and donors – and released them publicly on a widely read hacker forum. They also released talking points the university used when talking to, and about, the donors.

Ouch.

Finally, the hackers obtained the email addresses of just about everyone at the university and sent them messages from an account linked to the Graduate School of Education. The emails, pretending to have been written by university officials, said in part:

“We hire and admit morons because we love legacies, donors, and unqualified affirmative action admits . . .”

Lovely people. But since the emails appeared to be legitimate and official, the university had to quickly scramble and let everyone know they weren’t authentic – and, of course, beg everyone not to click on any links because this would obviously be the furtherance of the phishing attack.

So how did the hackers get into the Penn system in the first place?

According to the Daily Pennsylvanian, the hacker himself explained, to a point, how he did it and why:

The alleged hacker told BleepingComputer that their group gained access to Penn’s VPN, Salesforce data, Qlik analytics platform, SAP business intelligence system, and SharePoint files. To corroborate these claims, they shared “screenshots and data samples” with the publication.

The purported hacker also told BleepingComputer that the information was not stolen to extort the University.

“We don't think they’d pay, and we can extract plenty of value out of the data ourselves," the hacker told the outlet. 

They said the attack wasn’t politically motivated and that the main target was Penn’s “vast, wonderfully wealthy donor database.”

We’ve had a variety of blogs in this space about the vulnerabilities in platforms like Salesforce, SharePoint, various analytics platforms and other things hackers can exploit. There may have been patches available that the university was slow to implement.

I don’t know the details of what happened internally, but I do know Penn is coming under a lot of heat for being lax about its cybersecurity measures.

If you’re wondering about your own possible vulnerabilities, which could come through familiar platforms like Salesforce, SharePoint, Microsoft Teams and others, our team can perform an assessment for you and help you to implement straightforward steps to close those vulnerabilities – as well as ongoing strategies to keep yourself protected.

Remember, hackers don’t care how big or small you are. They care what they can do with your data – and that includes your customer data as well.

Let’s make sure they never get the chance. Contact us at dacarey@cybersynergies.io or call 616.600.4180.