24.11.2025
2 min
432
Harvard University has disclosed a major data breach following a voice-phishing attack that compromised systems used for alumni and donor relations. While financial data remains untouched, attackers accessed large amounts of personal information belonging to alumni, donors, staff, and some students.
Harvard confirmed that the Alumni Affairs and Development IT systems were compromised after threat actors gained access through a phone-based phishing attack. Exposed data includes email addresses, phone numbers, home and business addresses, event attendance records, donation information, and biographical details used for fundraising and engagement.
University officials emphasized that the compromised systems did not contain Social Security numbers, passwords, payment card data, or banking information.
Notifications were sent on November 22nd to all potentially affected individuals. The university warned recipients to be cautious of suspicious messages impersonating Harvard representatives. Law enforcement and third-party cybersecurity experts are currently investigating the breach.
The affected groups include:
alumni;
alumni spouses, partners, widows/widowers;
donors;
parents of current and former students;
some students, faculty, and staff.
This is Harvard’s second security incident in fall 2025. In October, the Clop ransomware gang claimed responsibility for another breach involving a zero-day vulnerability in Oracle’s E-Business Suite.
Other Ivy League institutions — Princeton University and the University of Pennsylvania — also disclosed recent leaks involving donor information, highlighting a rising trend of targeted attacks against academic organizations.
The breach illustrates how even elite universities remain vulnerable to social-engineering-based attacks. Harvard urges all potentially affected individuals to stay alert, avoid sharing sensitive data, and report suspicious calls or emails.
