Our investigation is ongoing. At this time, we are aware that systems related to Penn's development and alumni activities were accessed through stolen credentials. We are still conducting our forensic investigation but to date the systems we know were accessed include Penn’s Customer Relationship Management (CRM) system (Salesforce), file repositories (SharePoint and Box), a reporting application (Qlikview), as well as Marketing Cloud.
Cybersecurity incident information and FAQ
To keep our community informed, this webpage will be kept up to date with the latest information pertaining to Penn’s ongoing investigation and will answer the most frequent questions related to this cybersecurity matter.
FAQ Last Updated: December 02, 2025, 8 a.m.
On October 31, Penn discovered that a select group of information systems related to Penn’s development and alumni activities had been compromised. Penn employs a robust information security program; however, access to these systems occurred due to a sophisticated identity impersonation commonly known as social engineering.
Penn’s staff rapidly locked down the systems and prevented further unauthorized access; however, not before an offensive and fraudulent email was sent to our community and information was taken by the attacker. Penn is still investigating the nature of the information that was obtained during this time.
It is important to note that all systems have been restored and are fully operational.
We recognize the severity of this incident and are working diligently to address it. Since the incident, Penn’s information security teams have been working around the clock. Penn has notified the FBI and continues to work with law enforcement. We are investigating the incident with the assistance of third-party cybersecurity professionals, including CrowdStrike, an industry leader in cybersecurity.
We encourage our entire community — inside and outside of Penn — to be wary of suspicious calls or emails that could be phishing attempts, particularly those that may be soliciting fraudulent donations, asking for your system credentials, or suggesting you change credentials or passwords. Also be wary of any embedded links in emails that you are not familiar with. For more information about how to keep your system and Penn’s secure, read Penn’s Information Systems & Computing (ISC) tips on protecting your information.
FAQ
Unfortunately, even the most sophisticated security systems are vulnerable to social engineering attacks — when bad actors deceive individuals into giving up confidential information which compromises security and can be used to access private systems and information. That is what happened in this instance. As soon as Penn was made aware of the unauthorized access to its systems, it was able to lock down its systems.
We are confident that this incident has been contained and that we are operating with full system integrity. While no system is 100% impervious to this type of attack, Penn is taking immediate steps to reduce the threat of future social engineering attacks through increased monitoring and additional security measures. Penn will also be instituting additional mandatory trainings. We are continuously working to improve our information security program and systems.
The 1.2 million number has been mischaracterized and overstates the impact. We are still conducting our forensic investigation to determine the exact nature and extent of the information and therefore cannot provide a precise number. However, we do know that the stolen credentials were used to access systems related to Penn's development and alumni activities.
Penn is currently analyzing the impacted information to determine the exact nature of what was taken. Once that analysis is complete, Penn intends to notify any individuals with impacted personal information, if and when appropriate and as required by applicable notification laws.
We have no indication that the incident affected the medical records systems of Penn Medicine or Penn Wellness' Student Health and Counseling.
Investigations of this nature, done thoroughly, take time to complete. While we are not able to share a specific timeline, please know we are working with third-party cybersecurity experts to review potentially impacted data as quickly, thoroughly, and carefully as possible. Once that analysis is complete, Penn intends to notify any individuals with impacted personal information, if and when appropriate and as required by applicable notification laws.
This dedicated webpage is the best place to get the latest information about the October 31 cybersecurity incident. We encourage all members of the University community with questions to refer to the information posted here, which we update as the investigation progresses.
We understand your concern and take these matters very seriously. While our investigation is ongoing, we do not currently have evidence to indicate that information involved in this incident has been used for the purposes of fraud.
At this time, we are analyzing the impacted information to determine the exact nature of what was taken. Once that analysis is complete, Penn intends to notify any individuals with impacted personal information, if and when appropriate and as required by applicable notification laws.
In the meantime, it is always a good idea to take the steps below to monitor and protect your credit and identity, including:
- Review your credit reports regularly
- Place fraud alerts with the major credit bureaus if you notice suspicious activity
- Monitor your financial accounts for unauthorized transactions
- Be cautious of unsolicited communications asking for personal information
All faculty, staff, student employees and other Penn employees have been asked to participate in a cybersecurity training that addresses cybersecurity threats and best practices. Employees are required to take this training by December 31 because cybersecurity is a team effort.