News Summary
The University of Pennsylvania is being sued following a significant data breach stemming from a fraudulent email incident. The class-action lawsuit claims that the university failed to adequately protect sensitive personal information of students and faculty members. This breach reportedly allowed unauthorized access to personally identifiable information, leading to fears of misuse by cybercriminals. The university has confirmed the authenticity of the fraudulent emails and is collaborating with law enforcement to investigate the incident further. It highlights growing concerns over cybersecurity in educational institutions.
Philadelphia
The University of Pennsylvania is facing a new class-action lawsuit alleging failure to safeguard sensitive personal data, following a widespread fraudulent email incident that occurred on October 31, 2025. The lawsuit, filed on January 28, 2026, claims that the university’s cybersecurity shortcomings allowed for the exposure of personally identifiable information (PII) belonging to students and faculty.
Recent Legal Action
Plaintiff Christopher F. Kelly initiated the class-action complaint in a Pennsylvania federal court, asserting that the University of Pennsylvania neglected its duty to protect and secure the private data of its community members. This alleged failure ultimately led to their information falling into the hands of cybercriminals, who are expected to use it for malicious purposes. The lawsuit specifies that the data breach, which took place around October 31, 2025, involved “unknown actors” infiltrating university email accounts and subsequently using them to send a mass email warning recipients about impending data leaks.
The legal filing further contends that this breach granted unauthorized access to PII, including names, addresses, and Social Security numbers, of students and faculty. The fraudulent emails, sent from compromised “@upenn.edu” accounts linked to the Graduate School of Education, were distributed to a broad audience, encompassing students, faculty, alumni, and parents. This dissemination reportedly alerted many individuals to the breach even before the University of Pennsylvania issued any direct official notification.
Since the initial data breach, the plaintiff has reported an increase in spam emails, text messages, and phone calls, reinforcing the claim that cybercriminals are in possession of his sensitive personally identifiable information.
The October 2025 Email Incident
The foundation of this lawsuit traces back to the offensive and fraudulent emails that rattled the University of Pennsylvania community on Friday, October 31, 2025. These emails, appearing to originate from the university and specifically utilizing the letterhead of its Graduate School of Education, contained highly vulgar and critical language aimed at the institution.
The messages referred to the University of Pennsylvania as a “dogs— elitist institution full of woke retards” and overtly criticized its “terrible security practices.” Some emails carried the provocative subject line “We got hacked (Action Required),” despite the university’s initial assertion that it had not been hacked but was investigating the source of the fraudulent messages.
Beyond the offensive language, the emails made specific claims, such as: “We hire and admit morons because we love legacies, donors and unqualified affirmative action admits.” They also boasted, “We love breaking federal laws like FERPA (all your data will be leaked) and Supreme Court rulings like SFFA.” These statements referenced the Family Educational Rights and Privacy Act (FERPA), a federal law designed to protect student education records, and the “Students for Fair Admissions” (SFFA) Supreme Court ruling concerning race-based admissions policies.
The emails urged recipients to “Please stop giving us money.”
University’s Response and Ongoing Investigation
In the wake of the October 2025 incident, a University of Pennsylvania spokesperson promptly confirmed the circulation of fraudulent emails and emphasized that the offensive content did not reflect the mission or actions of Penn or its Graduate School of Education. The university stated that its Office of Information Security was aware of the situation, and its Incident Response team was actively addressing it.
While initially denying a hack, later information from the university indicated that the incident involved a “breach of data of select information systems.” The university acknowledged that an offensive and fraudulent email was sent and information was taken by the attacker. It clarified that the compromise appeared to involve UPenn’s Salesforce Marketing Cloud infrastructure. The university has since reported the incident to the FBI and is collaborating with law enforcement and third-party cybersecurity professionals, including CrowdStrike, to investigate the breach rapidly.
Penn’s staff swiftly secured the affected systems to prevent further unauthorized access, and all systems have since been restored and are fully operational. The university is still determining the exact nature of the information that was obtained during the incident.
The university has advised its community members, both internal and external, to remain vigilant against suspicious calls or emails that could be phishing attempts, particularly those soliciting fraudulent donations, asking for system credentials, or suggesting credential changes. They also cautioned against clicking on unfamiliar embedded links in emails.
Moreover, all faculty, staff, and student employees have been mandated to complete cybersecurity training by December 31, 2025, to enhance awareness of cybersecurity threats and best practices.
Impact and Broader Concerns
The fraudulent emails caused significant inconvenience, distress, and hurt among the Penn community, which the university acknowledged and apologized for. The incident highlights the persistent threat of cyberattacks, especially spear phishing, which targets specific groups or communities.
The allegations within the fraudulent emails, particularly concerning “terrible security practices” and threats to leak FERPA-protected data, underscore the critical importance of robust cybersecurity measures and data privacy in academic institutions. The class-action lawsuit further emphasizes the legal and reputational consequences for organizations that fail to adequately protect personal information in an increasingly digital landscape.
Frequently Asked Questions
-
What is the University of Pennsylvania investigating?
The University of Pennsylvania is currently investigating a series of vulgar and fake emails that were sent using the institution’s official letterhead. This investigation now includes the fallout from a class-action lawsuit filed on January 28, 2026, alleging failure to protect sensitive data after the fraudulent email incident of October 31, 2025. -
What was the nature of the content in these fake emails?
The emails contained offensive language, referring to the University of Pennsylvania as a “dogs–t elitist institution full of woke retards” and criticizing its “terrible security practices”. They also made claims about admissions policies, hiring practices, and threatened to leak data protected under FERPA. -
When were these emails reportedly sent or discovered?
The initial fraudulent emails were sent to the Penn community on Friday, October 31, 2025. The class-action lawsuit related to this incident was filed on January 28, 2026. -
What is the university’s stance and response to these emails and the data breach?
The university confirmed the emails were fraudulent, “obviously a fake,” and “highly offensive,” stating they do not reflect Penn’s mission or values. While initially denying a hack, UPenn later acknowledged a “breach of data of select information systems” and that information was taken by the attacker. The University’s Office of Information Security and Incident Response team is actively addressing the situation, working with the FBI and third-party cybersecurity professionals like CrowdStrike. All affected systems have been restored. -
What data is alleged to have been exposed in the breach?
The class-action lawsuit alleges unauthorized access to personally identifiable information (PII) of students and faculty, including names, addresses, and Social Security numbers. The fraudulent emails themselves threatened that “all your data will be leaked” and mentioned “breaking federal laws like FERPA”.
Key Aspects of the UPenn Email Incident and Aftermath
| Aspect | Detail | Scope |
|---|---|---|
| Original Incident Date | October 31, 2025 | Local |
| Latest Development | Class-action lawsuit filed on January 28, 2026 | Local |
| Email Content | Vulgar, critical of UPenn as “dogs— elitist institution full of woke retards,” claimed “terrible security practices,” criticized hiring/admissions, urged “stop giving us money” | Local |
| Sender Impersonation | Appeared to come from UPenn’s Graduate School of Education, used official letterhead | Local |
| Alleged Data Breach | Lawsuit claims exposure of PII (names, addresses, Social Security numbers); emails threatened “all your data will be leaked” and mentioned FERPA violations | Local |
| University’s Initial Response | Confirmed fraudulent, “obviously fake,” “highly offensive” emails; stated content does not reflect Penn’s mission | Local |
| Ongoing University Actions | Investigating with FBI and third-party cybersecurity experts (CrowdStrike); systems secured and restored; mandatory cybersecurity training for employees | Local |
| Impact on Community | Caused inconvenience, hurt, and distress; increased spam for some recipients | Local |
Deeper Dive: News & Info About This Topic
HERE Resources
UPenn Faculty Condemn Trump Administration’s Demand for Jewish Lists
Pennsylvania Offers Free College Credits to Law Enforcement Officers
Princeton University Faces Lawsuits After Cybersecurity Breach
Penn’s Division of Public Safety Increases Campus Security
President Jameson Discusses University Policies and Future Vision
Philadelphia’s Title IX Conflict Over Transgender Swimmer
Author: STAFF HERE PHILADELPHIA WRITER
The PHILADELPHIA STAFF WRITER represents the experienced team at HEREPhiladelphia.com, your go-to source for actionable local news and information in Philadelphia, Philadelphia County, and beyond. Specializing in "news you can use," we cover essential topics like product reviews for personal and business needs, local business directories, politics, real estate trends, neighborhood insights, and state news affecting the area—with deep expertise drawn from years of dedicated reporting and strong community input, including local press releases and business updates. We deliver top reporting on high-value events such as Mummers Parade, Philadelphia Flower Show, and Thanksgiving Day Parade. Our coverage extends to key organizations like the Greater Philadelphia Chamber of Commerce and United Way of Greater Philadelphia, plus leading businesses in telecommunications, food services, and healthcare that power the local economy such as Comcast, Aramark, and Children's Hospital of Philadelphia. As part of the broader HERE network, we provide comprehensive, credible insights into Pennsylvania's dynamic landscape.
