Imagine opening your inbox and seeing a frightening message with the subject, "We got hacked (Action Required)" from your former university. That's precisely what happened to University of Pennsylvania (Penn) employees, faculty, and students this week.
If I happened to work for a university, I would be quickly doing any number of the following:
Even if you are not associated with Penn, use this as a reminder:
What actually happened
Here's the short version:- Many students, faculty, and alumni at Penn received email messages from the university stating it was hacked.
- The subject line was, "We got hacked (Action Required)", and the body of the email was filled with derogatory statements and numerous profane words regarding the university.
- The individual, who sent the email, claimed they had stolen private information and threatened to release it.
- Penn's IT team sent a message indicating the email was not real and suggested to disregard the email.
- The email was distributed via one of Penn's official email lists, creating the appearance that it was legitimate.
Why does this matter?
Even if you weren’t a student at Penn, this event is still significant. Here’s why:- Universities keep a large amount of private information — names, addresses, grades and sometimes financial information.
- If hackers did gain access, that information could be leaked online or sold.
- The emails also included political slurs, indicating that this might involve being critical of Penn’s data practices, beyond just a hack.
- Worse, the emails were from an official mailing list system (Salesforce Marketing Cloud) — not just some random spam account. That is clever, and unsettling.
What we don’t know
There are still some big questions that remain unanswered:- How many people received the fake email?
- Did hackers actually steal any actual data?
- Who sent it — and why would they target Penn?
- Was Penn’s system actually hacked, or did someone just spoof an email address?
My perspective
To be honest, I find this type of attack interesting. This isn't your average "click here" scam. This is more of a public service announcement and cyber-bullying at the same time. The hackers were looking for attention, and they got it!If I happened to work for a university, I would be quickly doing any number of the following:
- Identifying the persons who have access to mailing lists.
- Changing all mail passwords.
- Informing users that they should not click on links or reply to suspicious emails.
- Telling users exactly what a breach has taken place - no cover-up and no creating fear.
Even if you are not associated with Penn, use this as a reminder:
- Don't trust every "urgent" email - always check the email sender address.
- If you want to validate information, go to the known website.
- Don't click random links or provide personal info.
- Ask your workplace or school if they have strong email security.
