On the morning of Friday October 31, the University of Pennsylvania (Penn) alumni, students and staff received several emails purporting to represent Penn’s Graduate School of Education (GSE).
The emails read:
Dear Penn community,
The University of Pennsylvania is a dogshit institution full of woke retards. We have terrible security practices and are completely unmeritocratic. We hire and admit morons because we love legacies, donors, and unqualified affirmative action admits. We love breaking federal laws like FERPA (all your data will be leaked) and Supreme Court rulings like SFFA [Students for Fair Admissions v. Harvard].
Please stop giving us money.
Warm regards,
The University of Pennsylvania
The email included the official GSE logo.
Penn spokesperson Ron Ozio stated in an email on Friday that the school’s incident response team is “actively addressing” the situation.
“A fraudulent email has been circulated that appears to come from the University of Pennsylvania’s Graduate School of Education. This is obviously a fake, and nothing in the highly offensive, hurtful message reflects the mission or actions of Penn or of Penn GSE,” Ozio said.
The timing of the email may be linked to Penn’s rejection of an offer from the White House for more favorable treatment in exchange for agreeing to a proposed “Compact for Academic Excellence in Higher Education.” The GSE may have been the target of the hoax due to its general reputation for advocating in favor of diversity, equity and inclusion (DEI).
Although all universities experience cyber attacks from time to time, this Penn attack has been more visible due to its large-scale use of alumni and staff email addresses.
Hacking at Cornell
The two most noteworthy computer compromises at Cornell have been the Cornell Free Speech Alliance (CFSA) scraping thousands of email addresses from the Cornell website and the 1988 Morris internet worm.
In 2023, the CFSA, an alumni group focused on free speech, harvested email addresses that appeared on either the online Cornell alumni directory or on individual webpages of cornell.edu. The CFSA used a robot program to automatically access each webpage and capture any character string that looked like an email address. Such automation is called “scraping” a webpage.
In a May 2023 Sun story based upon an interview with then-President Martha Pollack, Pollack emphasized that Cornell had not given the CFSA the email addresses and that they had
“I think they’re well intentioned. I think they care about the University. They do not have any official connection to the University, [and] they do not speak for the University,” Pollack said. “They do not speak for me. I do not speak for them.”
After Cornell learned about the email harvesting, it removed all alumni email addresses from the online alumni directory and made scraping of the Cornell website more difficult. The terms of use for the Cornell website prohibit scraping.
Earlier, on November 2, 1988, Robert Tappan Morris, a Cornell graduate student, froze about 10% of the nation’s computers with a self-replicating virus that he had released over the internet. In the decade following that infection, Morris founded a cybersecurity company which sold out to Yahoo in 1998 for $49 million. Morris had been prosecuted for releasing the worm and sentenced to three years of probation. He has since received tenure as a professor at MIT.
Other than cracking Penn’s email system, it is unclear what other access the hackers gained on the Penn systems.
