Last updated 1 month ago
The University of Pennsylvania, a major U.S. higher education institution, experienced a data breach in October 2025 that was publicly disclosed in February 2026. The incident exposed 624,000 unique donor records containing email addresses, names, and physical addresses. Attackers subsequently sent inflammatory emails to some victims before publishing the data online.
The breach targeted the university's donor database through unauthorized access, though specific initial access vectors remain unconfirmed. Exfiltrated data included comprehensive donor information: email addresses, names, physical addresses, gender, and dates of birth. A subset of records contained sensitive personal details including religion, spouse names, estimated income, and donation history, creating significant privacy risks for affected individuals.
Following the breach, attackers issued a ransom demand and later published the stolen data online in February 2026. The university has not disclosed whether any ransom was paid, and the incident represents a significant compromise of donor privacy and institutional data security.
Data breach followed by ransom demand, affecting donor database
This breach demonstrates critical security control failures in protecting sensitive donor databases at educational institutions. The exposure of highly personal information including religion, income estimates, and donation history indicates inadequate data classification and access controls for sensitive alumni/development systems. The four-month gap between discovery and public disclosure suggests potential incident response deficiencies in containment and notification processes.
Sign in to join the discussion.
Company
Industry
Location
Discovered
Disclosed
Records Affected
Attack Vector