490/68 Wednesday, November 26, 2025
Harvard University has disclosed a data breach affecting its Alumni Affairs and Development (AAD) system, which was compromised through a voice phishing (vishing) attack. The incident allowed unauthorized access to personal information of alumni, donors, students, staff, and related individuals. The breach was detected on November 18, 2025, and Harvard began sending notification letters to affected individuals on November 22.
The exposed information includes email addresses, phone numbers, mailing addresses, event participation history, donation details, and other personal profile information. However, Harvard confirmed that no sensitive data-such as Social Security numbers (SSNs), passwords, payment card details, or financial information-was accessed, since the compromised system did not store such data. Those affected include alumni, spouses of alumni, donors, parents of current and former students, certain students, and some faculty and staff members. The university is currently conducting an investigation in collaboration with law enforcement and cybersecurity experts, and advises those affected to remain cautious of suspicious communications-particularly messages or emails claiming to be from the university requesting sensitive information or password resets.
Harvard is also investigating a second potential data breach that may be linked to attacks by the Clop ransomware group, who previously exploited a Zero-day vulnerability in Oracle E-Business Suite. Additionally, fellow Ivy League institutions Princeton University and the University of Pennsylvania have recently disclosed similar donor-related data breaches.
