On Nov. 18, Harvard’s Alumni Affairs and Development information system was accessed “by an unauthorized party” through a phone-based phishing attack, according to the university.
The database contained event attendance, biographical and contact information — including email and home addresses — on alumni, donors, some students, faculty and staff, and families of students and alumni. Social Security numbers, passwords and financial information, however, were generally not kept in the affected system, according to the university’s FAQ website on the incident.
Within that system, Harvard is unaware of what information was accessed, campus leaders said in an email Saturday to those who may have been affected. The university is continually assessing whether additional notifications to people are necessary, as they investigate the attack with law enforcement and cybersecurity experts.
Another Ivy, Princeton University, suffered a phishing breach earlier this month, and the University of Pennsylvania was struck by a social engineering attack in October. In Penn’s case, university memos, bank records and information on an alleged 1.2 million donors, students and alumni were infiltrated. Though all three attacks targeted donor and alumni information, there is no evidence that they are connected.
Additionally, Columbia University was struck in the summer by a data breach targeting admissions, enrollment and financial aid, not alumni relations. According to school officials, the breach compromised Social Security numbers and health information for 870,000 faculty, staff, students and applicants.
Some of the recent cyber attacks have included messaging from attackers criticizing university admission processes. According to the Daily Pennsylvanian, emails from hackers said Penn “love[s] legacies, donors, and unqualified affirmative action admits.”
The three institutions have encouraged caution in digital communications, especially with emails, texts and calls asking for password reset or soliciting donations.
