The University of Pennsylvania confirmed a social‑engineering attack compromised information systems tied to development and alumni operations and said it is working with the FBI and CrowdStrike to investigate. University officials locked down affected systems after an offensive, fraudulent email circulated across the community; investigators are still determining the scope of data accessed. An anonymous post accompanying leaked documents claimed the hacker had obtained personal records for roughly 1.2 million students, alumni and donors; Penn said it cannot yet verify that number while forensics continue. The incident included publication of internal documents and donor‑related materials that the attacker offered to release in stages, the leak statement said. University leaders emphasized containment, notification and heightened phishing education for campus stakeholders. The case underscores widening cybersecurity liabilities for higher‑education institutions — particularly fundraising offices that hold sensitive donor and alumni records — and raises questions about incident response, insurance and donor trust as forensics proceed.