Harvard Data Breach Exposes Alumni and Donor Information

A sophisticated voice phishing scheme has compromised Harvard University’s Alumni Affairs and Development systems, potentially exposing sensitive personal data belonging to students, alumni, donors, faculty, and staff members. This incident highlights the persistent cybersecurity threats facing major educational institutions, even those with substantial resources like the prestigious Ivy League university.

Harvard, which supports more than 20,000 faculty and staff members, educates over 24,500 undergraduate and graduate students, and maintains connections with a global network exceeding 400,000 alumni, confirmed the security breach over the weekend. The unauthorized access occurred through a phone-based phishing attack, a method where attackers use social engineering to trick individuals into providing system credentials.

The compromised information includes email addresses, telephone numbers, home and business addresses, event attendance records, donation histories, and biographical details related to fundraising and alumni engagement. Importantly, university officials Klara Jelinkova, Harvard’s Chief Information Officer, and Jim Husson, Vice President for Alumni Affairs and Development, confirmed that the affected systems did not contain highly sensitive data such as Social Security numbers, passwords, payment card information, or banking details.

University administrators believe the data exposure potentially affects several distinct groups: alumni and their spouses or partners, including widows and widowers of former students; donors to the university; parents of both current and former students; along with some current students, faculty, and staff members.

Harvard detected the unauthorized system access on Tuesday, November 18, 2025, and immediately took action to remove the attacker’s access and prevent further infiltration. The institution is currently collaborating with law enforcement agencies and external cybersecurity specialists to investigate the full scope of the incident. Data breach notification letters were dispatched on November 22nd to individuals whose information may have been accessed.

These notifications advised recipients: “The University acted immediately to remove the attacker’s access to our systems and prevent further unauthorized access. We are writing to make you aware that information about you may have been accessed and so you can be alert for any unusual communications that purport to come from the University.”

The university is urging potentially affected individuals to exercise heightened caution regarding communications claiming to be from Harvard, particularly those requesting password resets or sensitive personal information. People should be suspicious of unsolicited calls, text messages, or emails that ask for passwords, Social Security numbers, or financial details.

When questioned for additional information, a Harvard spokesperson could not provide specific numbers regarding how many individuals had their information exposed. This incident follows another recent security event at Harvard, where in mid-October the university confirmed it was investigating a separate data breach after the Clop ransomware gang claimed to have compromised the school’s systems through a zero-day vulnerability in Oracle’s E-Business Suite servers.

The timing of this breach coincides with similar security incidents at other Ivy League institutions. Both Princeton University and the University of Pennsylvania disclosed data breaches earlier this month, with each confirming that attackers had successfully accessed donor information.

(Source: Bleeping Computer)