Harvard University suffers IT security breach
Discovered on June 19, the intrusion was first spotted on the Faculty of Arts and Sciences and Central Administration information technology networks, but a subsequent investigation revealed that eight schools and administrative organizations have been affected altogether.
The University has called in federal law enforcement and external infosec experts to help with the investigation and to harden the University’s IT systems against cyber attacks.
“At this time, we have no indication that research data or personal data managed by Harvard systems (e.g. social security numbers) have been exposed. There is no indication that PIN credentials, used to access University systems and web resources, have been exposed,” the University explained via a dedicated web page.
“It is possible that Harvard login credentials (computer and email passwords, including Office 365) stored on the compromised FAS and Central Administration networks have been exposed. In order to further secure your data, the University is requiring some members of our community to change their Harvard passwords.”
Students and/or employees of the Faculty of Arts and Sciences, Harvard Divinity School, Radcliffe Institute for Advanced Study, and Central Administration have been asked to change the password associated with their Harvard account (computer login and email account), while those that are part of the Graduate School of Design, Harvard Graduate School of Education, Harvard John A. Paulson School of Engineering and Applied Sciences, or Harvard T.H. Chan School of Public Health are advised to change their email password (Office 365 or Icemail).
The University also explained why it took so long for notifications about the breach to be sent out: “We notified the community as soon as we were confident that notification would not jeopardize our efforts to secure systems and limit damage from the intrusion, potentially making the situation much more difficult to resolve.”
Finally, they warned affected individuals to be on their guard as phishing attempts might follow the public revelation of the breach, and pointed them to a dedicated site that spells out Harvard’s information security best practices, and publishes security alerts and announcements.