Harvard University Confirms Data Theft After Voice-Phishing Scam

Harvard University said that a voice-phishing attack allowed threat actors to breach its Alumni Affairs and Development systems, resulting in the theft of personal data from students, alumni, donors, faculty, and staff.

 

In a data security incident notice posted on its website, Harvard officials stated that on November 18 the university was targeted by a “phone-based phishing attack,” allowing threat actors to gain access to systems used by its Alumni Affairs and Development department.

 

The university immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“The University acted immediately to remove the attacker’s access to our systems and prevent further unauthorised access. We are continuing to closely monitor and have no evidence of further unauthorised access,” the university said.

 

Officials reported that sensitive personal information belonging to alumni; their spouses, partners, and surviving spouses; donors; parents of current and former students; as well as current students, faculty, and staff was compromised. 

 

The exposed data included names, email addresses, telephone numbers, home and business addresses, event attendance, details of donations to the University, and other biographical information pertaining to University fundraising and alumni engagement activities. The University has, however, confirmed that Social Security numbers, passwords, payment card information, or financial account numbers were not accessed by the threat actors.

 

Harvard officials stated that the investigation is still ongoing and that additional information will be shared as it becomes available.

 

Last month, the University said it was investigating a potential data breach linked to the exploitation of a zero-day vulnerability in Oracle’s E-Business Suite servers by the Clop ransomware group. 

 

According to a Harvard spokesperson, the incident appears to impact a limited number of parties associated with a small administrative unit. Upon notification from Oracle, Harvard applied a patch to remediate the vulnerability and is continuing to monitor the situation. So far, there is no evidence of compromise to other university systems.