A notorious hacking group has claimed responsibility for last year’s data breaches at Harvard University and the University of Pennsylvania (UPenn) and published the data that they claim to have stolen from the two schools. 

On Wednesday, the group known as ShinyHunters published what it claims are more than one million records from each university on the group’s dedicated leak site, which the gang uses to extort its victims.

In November, UPenn confirmed a data breach of “a select group of information systems related to Penn’s development and alumni activities.” At the time, the hackers also sent alumni emails announcing the hack from official university addresses. 

The university blamed the breach on social engineering, an attack that often relies on hackers impersonating someone and tricking them into doing something they would not normally do. In its official breach disclosure web page, which has since been taken offline, UPenn did not say exactly what type of data the hackers stole, simply saying the cybercriminals accessed “systems related to Penn’s development and alumni activities.”

TechCrunch verified a portion of the data set by confirming with alumni and public records, such as matching the data against student ID numbers.

Later in November, Harvard University also confirmed a breach on its alumni systems, blaming it on a voice phishing attack, meaning an attack where hackers tricked the targets into clicking on a link or opening an attachment with a voice call. 

Harvard said that the stolen data included email addresses, phone numbers, home and business addresses, event attendance, details of donations to the university, and other biographical information relating to the university’s fundraising and alumni engagement activities.

The data published by ShinyHunters, which TechCrunch has seen, appears to match the type of information that both universities said was stolen last year. 

The hackers said they published the stolen data because the universities refused to pay a ransom to stop them from doing so. Cybercriminals like ShinyHunters often try to extort their victims asking for payment in exchange for not publishing the data they stole, and if the victims refuse payment, they then release the data online. 

During the UPenn breach, the hackers made it seem like they had political motives, in particular they expressed discontent with affirmative action policies. “We hire and admit morons because we love legacies, donors, and unqualified affirmative action admits,” the hackers wrote in the email sent to alumni. 

ShinyHunters is not known to have political motives. The hackers did not respond to a question asking why they included that language in the email. 

Penn spokesperson Ron Ozio told TechCrunch that the university is “analyzing the data and will notify any individuals if required by applicable privacy regulations.”

Harvard did not respond to a request for comment.

View Bio