Harvard University disclosed over the weekend that its Alumni Affairs and Development systems were compromised in a voice phishing attack, exposing the personal information of students, alumni, donors, staff, and faculty members.
The exposed data includes email addresses, telephone numbers, home and business addresses, event attendance records, donation details, and “biographical information pertaining to University fundraising and alumni engagement activities.”
However, according to Klara Jelinkova, Harvard’s Vice President and University Chief Information Officer, and Jim Husson, the university’s Vice President for Alumni Affairs and Development, the compromised IT systems didn’t contain Social Security numbers, passwords, payment card information, or financial info.
Harvard officials believe that the following groups and individuals had their data exposed in the data breach:
- Alumni
- Alumni spouses, partners, and widows/widowers of alumni
- Donors to Harvard University
- Parents of current and former students
- Some current students
- Some faculty and staff
The private Ivy League research university is working with law enforcement and third-party cybersecurity experts to investigate the incident, and it has sent data breach notifications on November 22nd to individuals whose information may have been accessed in the attack.
“On Tuesday, November 18, 2025, Harvard University discovered that information systems used by Alumni Affairs and Development were accessed by an unauthorized party as a result of a phone-based phishing attack,” the letters warn.
“The University acted immediately to remove the attacker’s access to our systems and prevent further unauthorized access. We are writing to make you aware that information about you may have been accessed and so you can be alert for any unusual communications that purport to come from the University.”
The university also urged potentially affected individuals to be suspicious of calls, text messages, or emails claiming to be from the university, particularly those requesting password resets or sensitive information (e.g., passwords, Social Security numbers, or bank information).
A Harvard spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.
In mid-October, Harvard University also told BleepingComputer that it was investigating another data breach after the Clop ransomware gang added it to its data-leak extortion site, claiming it had breached the school’s systems using a zero-day vulnerability in Oracle’s E-Business Suite servers.
Two other Ivy League schools, Princeton University and the University of Pennsylvania, disclosed data breaches earlier this month, both confirming that attackers gained access to donors’ information.
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.