University of Pennsylvania Vendor Cyber Rating & Cyber Score

upenn.edu
ISOSOC2 Type 1SOC2 Type 2PCI DSSHIPAAGDPR

The University of Pennsylvania is one of the oldest universities in America and, as a member of the Ivy League, one of the most prestigious institutions of higher learning in all the world. Penn is home to 12 schools including the School of Arts and Sciences, the School of Nursing, the School of Engineering and Applied Science and the Wharton School of Business, as well as several graduate and professional schools such as the Perelman School of Medicine.

University of Pennsylvania A.I CyberSecurity Scoring

UP

Company Details

Linkedin ID:

university-of-pennsylvania

Website:

http://www.upenn.edu/

Employees number:

22,599

Number of followers:

579,397

NAICS:

6113

Industry Type:

Higher Education

Homepage:

upenn.edu

IP Addresses:

1047

Company ID:

UNI_5783928

Scan Status:

In-progress

AI scoreUP Risk Score (AI oriented)

Between 650 and 699

https://images.rankiteo.com/companyimages/university-of-pennsylvania.jpeg
UP Higher Education
Updated:
  • Powered by our proprietary A.I cyber incident model
  • Insurance preferes TPRM score to calculate premium
Get a Score Increase
globalscoreUP Global Score (TPRM)

XXXX

https://images.rankiteo.com/companyimages/university-of-pennsylvania.jpeg
UP Higher Education
  • Instant access to detailed risk factors
  • Benchmark vs. industry & size peers
  • Vulnerabilities
  • Findings

University of Pennsylvania

Weak
Current Score
684
B (Weak)
01000
2 incidents
-73.0 avg impact

Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.

APRIL 2026
684
MARCH 2026
682
FEBRUARY 2026
680
JANUARY 2026
679
DECEMBER 2025
690
NOVEMBER 2025
689
OCTOBER 2025
688
SEPTEMBER 2025
686
AUGUST 2025
730
Breach
01 Aug 2025 • University of Pennsylvania confirms new data breach after Oracle hack
University of Pennsylvania Oracle E-Business Suite Data Breach

​The University of Pennsylvania (Penn) has announced a new data breach after attackers stole documents containing personal information from its Oracle E-Business Suite servers in August. The private Ivy League research university was founded in 1740 and has 5,827 faculty members and 29,109 students, with an 8:1 student-to-faculty ratio. It also has an academic operating budget of $4.7 billion and an endowment of $24.8 billion as of June 30, 2025. The University of Pennsylvania disclosed another breach in late October 2025, after a hacker compromised internal systems and stole data on Penn's development and alumni activities. The attacker claimed they exfiltrated personal information belonging to roughly 1.2 million students, alumni, and donors. In recent weeks, other Ivy League schools have been targeted by a series of voice phishing attacks, with Harvard University and Princeton University also reporting that a hacker breached systems used for development and alumni activities to steal the personal information of students, alumni, donors, staff, and faculty. Penn's Oracle EBS breach In a breach notification letter filed with the office of Maine's Attorney General this week, Penn noted that the attackers exploited a previously unknown security vulnerability in the Oracle E-Business Suite (EBS) financial application (also known as a zero-day flaw) to steal the personal information belonging to 1,488 individuals. However, the number of people potentially impacted by the i

665
critical -65
UNI1764684299
Incident Details -
Type
Data Breach Zero-Day Exploit Voice Phishing (related context)
Attack Vector
Zero-Day Vulnerability in Oracle E-Business Suite Voice Phishing (for broader Ivy League attacks)
Vulnerability Exploited
Unknown (zero-day) vulnerability in Oracle E-Business Suite (EBS)
Impact
Personal information of 1,488 individuals (August breach) Personal information of ~1.2 million students, alumni, and donors (October breach) Oracle E-Business Suite (EBS) servers Internal systems (development and alumni activities) Brand Reputation Impact: Potential reputational damage due to breach affecting students, alumni, and donors Identity Theft Risk: High (personal information exposed)
Response
Communication Strategy: Breach notification letter filed with Maine's Attorney General
Data Breach
Type Of Data Compromised: Personal information 1,488 (August breach) ~1,200,000 (October breach) Sensitivity Of Data: High (personal information of students, alumni, donors, faculty, and staff)
Regulatory Compliance
Regulatory Notifications: Maine Attorney General (breach notification letter)
Investigation Status
Ongoing (as of late October 2025)
Customer Advisories
Breach notification letters sent to affected individuals
Initial Access Broker
Zero-day vulnerability in Oracle EBS (August) Voice phishing (broader Ivy League attacks) Development and alumni activity systems Personal data of students, alumni, and donors
Post Incident Analysis
Zero-day vulnerability in Oracle EBS Potential voice phishing (for broader attacks)
References
Blog URL Source URL
JULY 2025
730
JUNE 2025
729
MAY 2025
809
Breach
01 May 2025 • University of Pennsylvania (Penn)
University of Pennsylvania Data Breach (2025)

The University of Pennsylvania (Penn) suffered a cybersecurity breach in which an unauthorized individual infiltrated its network and potentially exfiltrated personally identifiable information (PII) of over **one million donors**. The compromised data includes **donation histories, donor net worth, and demographic details**, though the full scope of misuse remains under investigation. The incident has prompted a class-action investigation by **Lynch Carpenter, LLP**, a national law firm specializing in data privacy litigation, suggesting significant legal and reputational risks for Penn. Affected individuals may be eligible for compensation, indicating potential financial liabilities for the institution. The breach underscores vulnerabilities in Penn’s cybersecurity defenses, particularly in safeguarding high-value donor data, which could erode trust among stakeholders and donors. The long-term impact may include regulatory scrutiny, operational disruptions, and costs associated with remediation, notification, and legal settlements.

728
critical -81
UNI1692816110425
Incident Details -
Type
Data Breach
Impact
donation history donor net worth demographic details Brand Reputation Impact: Potential reputational damage due to exposure of sensitive donor information Legal Liabilities: Lynch Carpenter, LLP is investigating claims for potential compensation; class action lawsuit possible Identity Theft Risk: High (PII exposed)
Response
Communication Strategy: Public disclosure via press release; legal firm (Lynch Carpenter, LLP) notified affected individuals for potential claims
Data Breach
donation history donor net worth demographic details Number Of Records Exposed: 1,000,000+ Sensitivity Of Data: High (PII, financial details) Data Exfiltration: Possible (unauthorized access and acquisition of records)
Regulatory Compliance
Legal Actions: Potential class action lawsuit (under investigation by Lynch Carpenter, LLP)
Investigation Status
Ongoing (Lynch Carpenter, LLP investigating claims)
Customer Advisories
Donors whose PII may have been compromised are encouraged to seek legal consultation via Lynch Carpenter, LLP
Stakeholder Advisories
Affected donors advised to contact Lynch Carpenter, LLP for legal review
Initial Access Broker
donor records financial details
References
Blog URL Source URL

Frequently Asked Questions

According to Rankiteo, the current A.I.-based Cyber Score for University of Pennsylvania is 684, which corresponds to a Weak rating.

According to Rankiteo, the A.I. Rankiteo Cyber Score for March 2026 was 682.

According to Rankiteo, the A.I. Rankiteo Cyber Score for February 2026 was 680.

According to Rankiteo, the A.I. Rankiteo Cyber Score for January 2026 was 679.

According to Rankiteo, the A.I. Rankiteo Cyber Score for December 2025 was 690.

According to Rankiteo, the A.I. Rankiteo Cyber Score for November 2025 was 689.

According to Rankiteo, the A.I. Rankiteo Cyber Score for October 2025 was 688.

According to Rankiteo, the A.I. Rankiteo Cyber Score for September 2025 was 686.

According to Rankiteo, the A.I. Rankiteo Cyber Score for August 2025 was 682.

According to Rankiteo, the A.I. Rankiteo Cyber Score for July 2025 was 730.

According to Rankiteo, the A.I. Rankiteo Cyber Score for June 2025 was 729.

According to Rankiteo, the A.I. Rankiteo Cyber Score for May 2025 was 726.

Over the past 12 months, the average per-incident point impact on University of Pennsylvania’s A.I Rankiteo Cyber Score has been -73.0 points.

You can access University of Pennsylvania’s cyber incident details on Rankiteo by visiting the following link: https://www.rankiteo.com/company/university-of-pennsylvania.

You can find the summary of the A.I Rankiteo Risk Scoring methodology on Rankiteo by visiting the following link: Rankiteo Algorithm.

You can view University of Pennsylvania’s profile page on Rankiteo by visiting the following link: https://www.rankiteo.com/company/university-of-pennsylvania.

With scores of 18.5/20 from OpenAI ChatGPT, 20/20 from Mistral AI, and 17/20 from Claude AI, the A.I. Rankiteo Risk Scoring methodology is validated as a market leader.