Scott+Scott Attorneys at Law LLP, a national leader in data-breach and privacy litigation, is investigating potential claims arising from a recently disclosed cybersecurity incident involving the University of Pennsylvania (“UPenn”).
According to UPenn, the university detected a data-security incident on or around October 31, 2025, after discovering that an unauthorized actor accessed certain UPenn systems. The threat actor emailed students, faculty, alumni, and other community members stating that it obtained large volumes of personal data.
According to BleepingComputer, the threat actor claims that it gained full access to an employee’s PennKey SSO account, allowing access to UPenn’s VPN, Salesforce data, Qlik analytics platform, SAP business intelligence system, and SharePoint files. The unauthorized actor claimed to obtain access to at least 1.7 gigabytes of data.
The stolen data from UPenn students, alumni, and donors includes, at minimum:
- Names
- Dates of birth
- Addresses
- Phone numbers
- Estimated net worth
- Donation history
- Demographic attributes such as religion, race, and sexual orientation
Because this data appears to include wealth-screening details, demographic information, and other potentially sensitive personal information, affected individuals may be at heightened risk of identity theft and other serious violations of your privacy.
If you have received a legal notice, data breach letter, or any other memorandum about this data security incident and are interested in joining a lawsuit, contact Scott+Scott by filling out the form below.