A notorious hacking group has claimed responsibility for last year’s data breaches at Harvard University and the University of Pennsylvania and published what they claim are more than 1 million records from each institution.
On Wednesday, the group known as ShinyHunters published the data on the gang’s dedicated leak site, which they use to extort victims. In November, UPenn confirmed a data breach of “a select group of information systems related to Penn’s development and alumni activities.” The university blamed the breach on social engineering, an attack that often relies on hackers impersonating someone and tricking them into doing something they would not normally do. At the time, hackers also sent alumni emails announcing the hack from official university addresses.
Later in November, Harvard University confirmed a breach on its alumni systems, blaming it on a voice phishing attack, meaning hackers tricked targets into clicking on a link or opening an attachment through a voice call. Harvard said the stolen data included email addresses, phone numbers, home and business addresses, event attendance, details of donations to the university, and other biographical information relating to fundraising and alumni engagement activities.
The data published by ShinyHunters appears to match the type of information both universities said was stolen last year. A portion of the dataset was verified by confirming with alumni and public records, such as matching data against student ID numbers. The hackers said they published the stolen data because the universities refused to pay a ransom to stop them from doing so.
During the UPenn breach, the hackers made it seem like they had political motives, expressing discontent with affirmative action policies. “We hire and admit morons because we love legacies, donors, and unqualified affirmative action admits,” the hackers wrote in the email sent to alumni. ShinyHunters is not known to have political motives.
Penn spokesperson Ron Ozio said the university is “analyzing the data and will notify any individuals if required by applicable privacy regulations.” Harvard did not respond to a request for comment. The breaches highlight ongoing vulnerabilities in higher education institutions’ cybersecurity systems and the risks facing alumni data stored for fundraising and engagement purposes.
