Days after Harvard officials announced that an “unauthorized party” using a “phone-based phishing attack” had breached databases used by the office of Alumni Affairs and Development, information on the attack remains sketchy. In an email on Saturday to University affiliates, Harvard officials said that the breach was discovered November 18 and that Harvard had “acted immediately to remove the attacker’s access to our systems and prevent further unauthorized access.” An investigation is ongoing.
“We are working with third-party cybersecurity experts and law enforcement to investigate this incident,” said Tim Bailey, communications director of Harvard University Information Technology, in a statement on Monday, in response to questions from Harvard Magazine.
Harvard officials do not yet know precisely what data the attackers accessed. But Saturday’s email, signed by chief information officer Klara Jelinkova and Alumni Affairs and Development chief James J. Husson, said that the breached databases generally do not contain Social Security numbers, passwords, payment card information, or financial account numbers. But those databases do include other personal information, such as email addresses, telephone numbers, home and business addresses, event attendance, details of donations to Harvard, and “other biographical information pertaining to University fundraising and alumni engagement activities.”
Harvard IT officials launched a website to provide updates on the incident, and a “frequently asked questions” section there offers further information.
Among those whose data may have been compromised are alumni and their spouses or partners, the widows and widowers of alumni, Harvard donors, parents of current and former students, some current students, and some faculty and staff members, according to the website.
The attack on Harvard’s databases is one of several similar incidents at universities recently, including a data breach reported last week at Princeton and another three weeks ago at the University of Pennsylvania. Earlier this year, hackers attacked databases at Columbia University and New York University. In previous years, attacks exposed personal data at Stanford University and Georgetown University.
While the wealth of these universities and their donors make them attractive targets—and the databases’ large number of users can make them especially vulnerable to attack—another motive can be politics. In a taunting mass email, the hackers who breached Penn’s database called the university “elitist,” “woke,” and “unmeritocratic,” and referred to what they called its “unqualified affirmative action admits.” At Columbia and NYU, as well, hackers said they were seeking proof that the universities were unlawfully using affirmative action in their admissions processes, a practice banned in 2023 by the U.S. Supreme Court, a practice banned in 2023 by the U.S. Supreme Court in Students for Fair Admissions (SFFA) v. Harvard.
