UPenn claims "Under 10" victims in 1.2M breach involving donors like Trump and Musk

PHILADELPHIA - If a hacker breaches a university’s secure servers and steals a donor’s Social Security number, the law is clear: the institution must alert the victim immediately. But if that same attacker exfiltrates the donor’s home address, unlisted cellphone numbers, personal email and a detailed history of their estimated net worth?

In Pennsylvania, the university can legally say nothing.

This statutory gap is at the center of a brewing controversy at the University of Pennsylvania. Following a cyberattack last October that threat actors claim exposed the records of 1.2 million students, alumni, and donors, the university has taken a startling legal position. In a federal court filing this week, UPenn maintained that it was required to notify fewer than ten people.

The disparity - 1.2 million alleged victims versus a single-digit notification list-highlights how antiquated state privacy laws are failing to keep pace with modern data exfiltration.

The Courtroom Collapse

The university's legal strategy came to light on Monday, Feb. 2, in the U.S. District Court for the Eastern District of Pennsylvania.

Following the breach, 18 separate lawsuits were filed by alumni-including lead plaintiff Christopher Kelly, a 2014 graduate-who feared their identity was at risk. These cases were consolidated into a single class action, operating on the assumption that the "1.2 million" figure cited by the hackers warranted mass legal recourse.

But the case crumbled in real-time when university counsel revealed the results of their internal review: because the stolen data lacked specific PII (Social Security Numbers, Payment Details etc), the number of people legally impacted was "less than ten."

The revelation was a tactical knockout. Since none of the named plaintiffs were among that tiny group, they effectively lacked the standing to sue. By Wednesday, seven of the original plaintiffs had already withdrawn their claims, their legal challenges dismantled by a technicality.

The ‘Personal Information’ Gap

UPenn’s defense rests entirely on the Pennsylvania Breach of Personal Information Notification Act (BPINA). Like many state laws drafted in the early 2000s, BPINA relies on a narrow, fraud-focused definition of "personal information."

To trigger a mandatory legal warning, a breach must typically involve a name linked to a specific financial identifier, such as a Social Security number, a driver’s license number, or a bank account password.

The attackers, a notorious group known as ShinyHunters, targeted a different kind of data. By compromising the university’s Salesforce and analytics systems, they allegedly exfiltrated "soft" data: demographic profiles, political affiliations, and wealth assessments used for fundraising.

Because this data does not enable direct financial fraud in the traditional sense, it falls into a legal gray zone. UPenn’s lawyers successfully argued that without the specific identifiers listed in the statute, the theft of a million donor profiles did not technically constitute a reportable "breach" for the vast majority of those affected.

Silence Provokes a Storm

The university’s reliance on this legal technicality appears to have backfired, transforming a quiet legal defense into a public crisis.

The threat actors, apparently insulted by the university’s claim that only ten people were affected, retaliated on Wednesday. "Penn did not pay a ransom or cooperate," ShinyHunters wrote on a dark web forum, before dumping a fresh cache of sensitive documents.

The leak was designed to inflict maximum reputational damage. It included internal "talking points" regarding campus antisemitism and files tagging specific alumni as "Ultra High Net Worth"-including members of the Trump family.

By adhering strictly to the minimum notification requirements of BPINA, the university may have avoided the logistical burden of notifying 1.2 million people, but it arguably incurred a much higher cost: the vengeful release of the very data it claimed wasn't "personal" enough to warrant a warning.

A Pattern of Vulnerability

The incident raises uncomfortable questions for the Ivy League institution, which has suffered a string of security failures this academic year.

In November, just weeks after the initial ShinyHunters intrusion, the university was hit by a separate breach involving its Oracle E-Business Suite-part of a global vulnerability that also ensnared Harvard. That attack likley impacted over 100,000 individuals.

In the same Monday filing where they dismantled the ShinyHunters lawsuit, UPenn lawyers moved to transfer claims regarding the Oracle breach to a multi-district litigation court in Texas. This maneuver would bundle Penn’s liability with other affected universities, further distancing the administration from local scrutiny.

For privacy advocates, the ShinyHunters case will likely serve as a case study. It demonstrates that in the current legal landscape, institutions can be fully compliant with the law while leaving their community completely in the dark.

"We are analyzing the data and will notify any individuals if required by applicable privacy regulations," a university spokesperson said. For 1.2 million people, that requirement may never come.

Check Your Status: If you want to see if you've been impacted, you can search the breach here.