Harvard University discloses data breach affecting alumni, donors

Harvard University disclosed over the weekend that its Alumni Affairs and Development systems were compromised in a voice phishing attack, exposing the personal information of students, alumni, donors, staff, and faculty members.

The private Ivy League research university has over 20,000 faculty and staff, more than 24,500 undergraduate and graduate students, and over 400,000 alumni worldwide.

The exposed data includes email addresses, telephone numbers, home and business addresses, event attendance records, donation details, and “biographical information pertaining to University fundraising and alumni engagement activities.”

However, according to Klara Jelinkova, Harvard’s Vice President and University Chief Information Officer, and Jim Husson, the university’s Vice President for Alumni Affairs and Development, the compromised IT systems didn’t contain Social Security numbers, passwords, payment card information, or financial info.

Harvard officials believe that the following groups and individuals had their data exposed in the data breach:

• Alumni
• Alumni spouses, partners, and widows/widowers of alumni
• Donors to Harvard University
• Parents of current and former students
• Some current students
• Some faculty and staff

The university is working with law enforcement and third-party cybersecurity experts to investigate the incident, and it has sent data breach notifications on November 22nd to individuals whose information may have been accessed in the attack.

“On Tuesday, November 18, 2025, Harvard University discovered that information systems used by Alumni Affairs and Development were accessed by an unauthorized party as a result of a phone-based phishing attack,” the letters warn.

“The University acted immediately to remove the attacker’s access to our systems and prevent further unauthorized access. We are writing to make you aware that information about you may have been accessed and so you can be alert for any unusual communications that purport to come from the University.”

If you have any information regarding this incident or any other undisclosed attacks, you can contact us confidentially via Signal at 646-961-3731 or at tips@bleepingcomputer.com.

The university also urged potentially affected individuals to be suspicious of calls, text messages, or emails claiming to be from the university, particularly those requesting password resets or sensitive information (e.g., passwords, Social Security numbers, or bank information).

A Harvard spokesperson could not specify how many individuals had their information exposed when contacted for more details.

In mid-October, Harvard University also told that it was investigating another data breach after the Clop ransomware gang added it to its data-leak extortion site, claiming it had breached the school’s systems using a zero-day vulnerability in Oracle’s E-Business Suite servers.

Two other Ivy League schools, Princeton University and the University of Pennsylvania, disclosed data breaches earlier this month, both confirming that attackers gained access to donors’ information.

Update November 25, 05:13 EST: Added Harvard statement.

.ia_ad {
background-color: #f0f6ff;
width: 95%;
max-width: 800px;
margin: 15px auto;
border-radius: 8px;
border: 1px solid #d6ddee;
display: flex;
align-items: stretch;
padding: 0;
overflow: hidden;
}

.ia_lef {
flex: 1;
max-width: 200px;
height: auto;
display: flex;
align-items: stretch;
}

.ia_lef a {
display: flex;
width: 100%;
height: 100%;
}

.ia_lef a img {
width: 100%;
height: 100%;

border-radius: 8px 0 0 8px;
margin: 0;
display: block;
}

.ia_rig {
flex: 2;
padding: 10px;
display: flex;
flex-direction: column;
justify-content: center;
}

.ia_rig h2 {
font-size: 17px !important;
font-weight: 700;
color: #333;
line-height: 1.4;
font-family: Georgia, “Times New Roman”, Times, serif;
margin: 0 0 14px 0;
}

.ia_rig p {
font-weight: bold;
font-size: 14px;
margin: 0 0 clamp(6px, 2vw, 14px) 0;
}

.ia_button {
background-color: #FFF;
border: 1px solid #3b59aa;
color: black;
text-align: center;
text-decoration: none;
border-radius: 8px;
display: inline-block;
font-size: 16px;
font-weight: bold;
cursor: pointer;
padding: 10px 20px;
width: fit-content;
}

.ia_button a {
text-decoration: none;
color: inherit;
display: block;
}

@media (max-width: 600px) {
.ia_ad {
flex-direction: column;
align-items: center;
}

.ia_lef {
max-width: 100%;
}

.ia_lef a img {
border-radius: 8px 8px 0 0;
}

.ia_rig {
padding: 15px;
width: 100%;
}

.ia_button {
width: 100%;
margin: 0px auto;
}
}

Secrets Security Cheat Sheet: From Sprawl to Control

Whether you’re cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.

Get the cheat sheet and take the guesswork out of secrets management.

Download Now