Following a recent security breach involving “select information systems,” the University of Pennsylvania is facing multiple class action lawsuits. These legal actions assert that the institution failed to implement adequate measures to safeguard sensitive data.
As of this report, The Daily Pennsylvanian has identified four lawsuits initiated by Penn graduates. The primary plaintiffs are Christopher Kelly, a 2014 College graduate; Mary Sikora, a 2018 graduate of the University of Pennsylvania Carey Law School; Christian Bersani, also a 2014 College graduate; and Kelli Mackey, a 2022 Graduate School of Education alumna. Three of these lawsuits were filed on Tuesday, following Kelly’s initial filing on Monday evening.
Attempts to reach Kelly and Bersani for comment were made, while Mackey and Sikora were unavailable for contact before publication. Notably, the claims in three of the lawsuits are identical, with Kelly being the first to submit his filing on November 3, followed by Sikora and Bersani the next day. The lawsuits state that the University was negligent in several key areas, including failing to maintain a robust data security system, lacking adequate monitoring for intrusions, and not ensuring that its vendors adhered to proper security protocols.
The fourth lawsuit, brought forth by Mackey, echoes similar allegations, asserting that the University did not adequately protect the sensitive information of its students, alumni, and donors. Mackey claims she was required to provide her Personally Identifiable Information to the University during her time at GSE and chose to remain on Penn’s mailing list for relevant updates and announcements.
On November 2, reports from BleepingComputer indicated that a hacker responsible for the breach claimed to have compromised data belonging to 1.2 million individuals, including current students, alumni, and donors. Mackey’s lawsuit further contends that the extent of the breach appears to far exceed what the University currently acknowledges.
The lawsuits reflect mounting concern over the implications of this security incident, highlighting that the full ramifications are yet to be understood. The filings note that as time progresses, additional consequences related to the breach are likely to emerge.
In response to the incident, Penn issued a communication to its community, announcing that the breach has been “contained.” Joshua Beeman, Interim Vice President of Information Technology and Interim Chief Information Officer, indicated that the University is actively investigating the specific types of information that may have been compromised. The statement included a reference to a webpage dedicated to “Cybersecurity incident information and FAQ,” which provides additional insights into the University’s ongoing response to this serious matter.
The University of Pennsylvania’s experience underscores the critical importance of robust cybersecurity measures in protecting sensitive data. According to the MITRE ATT&CK framework, tactics such as initial access, persistence, and privilege escalation may have been employed during the breach, which serves as a stark reminder for organizations about the vulnerabilities inherent in their cybersecurity postures. Businesses must remain vigilant and enhance their defenses to mitigate similar risks.
