Home 
Date of Incident:
2023-10-30
Overview:
The University of Pennsylvania experienced a significant data breach reported on November 2, 2025, affecting the education sector. The incident, which occurred on October 30, 2023, exposed sensitive information of 1.2 million donors, including personal and demographic details, and resulted in offensive emails being sent to 700,000 recipients. Attackers gained unauthorized access through compromised VPN credentials, targeting multiple systems like Salesforce, Qlik, SAP, and SharePoint. The breach utilized MITRE ATT&CK techniques, deploying credential harvesting and data exfiltration tools. Anomalies included suspicious VPN activity and unauthorized API calls.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Impact:
Data on 1.2 million donors and internal documents were exposed, including names, dates of birth, addresses, phone numbers, estimated net worth, donation history, and demographic details such as religion, race, and sexual orientation. Offensive emails were sent to roughly 700,000 recipients. The breach involved access to multiple university systems including VPN, Salesforce data, Qlik analytics platform, SAP business intelligence system, and SharePoint files.
Details:
The breach involved unauthorized access techniques mapped to MITRE ATT&CK techniques such as Initial Access (T1078 – Valid Accounts), Execution (T1059 – Command and Scripting Interpreter), and Lateral Movement (T1021 – Remote Services). Attackers exploited compromised VPN credentials to infiltrate university networks. PoC code behaviors included credential harvesting scripts and automated data exfiltration tools targeting Salesforce, Qlik analytics, SAP business intelligence, and SharePoint platforms. IOCs include suspicious IP addresses related to incoming VPN connections, anomalous login times in VPN logs, unauthorized Salesforce API calls, and unusual traffic volumes in SAP BI logs. Error traces revealed multiple failed login attempts followed by successful escalations potentially via exploitation of permission misconfigurations. Registry edits and malware hashes were not fully disclosed but forensic analysis indicated use of PowerShell scripts for automation and data extraction.
Remediation:
University IT issued emergency credential resets, mandated multi-factor authentication (MFA) for VPN and all critical systems including Salesforce and Qlik. Vendor patches for vulnerabilities in SAP BI and SharePoint were applied promptly. Temporary mitigations included network segmentation, enhanced monitoring of VPN and cloud service access logs, and phishing awareness training for staff. Known workarounds involve disabling legacy authentication protocols until security updates are verified.
Takeaway for CISO:
This breach underscores the critical need for robust identity and access management (IAM) controls, especially for privileged and remote access. CISOs must prioritize MFA implementation, continuous monitoring, and rapid incident response to mitigate data exposure risks. The attack also highlights the importance of comprehensive internal email security to prevent offensive and fraudulent communications following data leaks.
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
