Harvard University on Wednesday announced that on June 19, it discovered a security breach in the IT systems of its Faculty of Arts and Sciences and Central Administration, currently impacting eight different schools and administrative organizations at the university.
A copy of the memo from Anne Margulies, VP and Harvard’s CIO, announcing the intrusion to one of the groups affected, students in the Graduate School of Arts and Sciences, was quietly sent out in the evening on July 1 — not “burying the news on a Friday afternoon” time but also not at a peak time, either.
“At this time, we have no indication that research data or personal data managed by Harvard systems (e.g. social security numbers) have been exposed. There is no indication that PIN credentials, used to access University systems and web resources, have been exposed,” the university IT team notes on a website it set up with information it’s making public about the breach and help and guidelines for people who are affected.
However, it also added “it is possible that Harvard login credentials (computer and email passwords, including Office 365) stored on the compromised FAS and Central Administration networks have been exposed.” They also added that currently they do not believe Harvard email has been exposed. People affiliated with the eight affected organizations have been asked to change their passwords and update access across all devices synced to Harvard accounts.
They are the Faculty of Arts and Sciences, Harvard Divinity School, Radcliffe Institute for Advanced Study, Central Administration, Graduate School of Design, Harvard Graduate School of Education, Harvard John A. Paulson School of Engineering and Applied Sciences, and Harvard T.H. Chan School of Public Health.
Students and staff at the Harvard Business School, Harvard Kennedy School, Harvard Law School, Harvard Medical School, and Harvard School of Dental Medicine have been told that they do not need to take any action at this point. A further list of systems that are unaffected can be found here. The breach comes at a sensitive time in IT security, specifically as it pertains to high-profile government and institutional systems.
In June, it emerged that the U.S. Office of Personnel Management, which manages the civil service of the federal government and covers areas like security clearances, had suffered a breach that could have affected four million records, but might have potentially also included the theft of up to 18 million unique social security numbers. The U.S. currently says China is the leading suspect for the attack.
We have contacted Harvard to ask if its own intrusion is in any way connected to the OPM hack, along with other questions about the nature of the intrusion, and will update as we learn more. Harvard has referred us to the website it has set up, which is not yet providing any further details on the intrusion itself. In the meantime, the university has posted a FAQ page about the breach. In it Harvard does not go into details about the breach itself or what techniques were used. It notes that it’s now using “enhanced security measures” to protect its systems.
It has also notified federal law enforcement and is currently working with an (unnamed) external cybersecurity firm on a thorough forensic investigation to figure out what happened. The university also comments on the delay until late Wednesday to notify people of the intrusion. It spoke up “as soon as we were confident that notification would not jeopardize our efforts to secure systems and limit damage from the intrusion, potentially making the situation much more difficult to resolve.”
This is not the first time Harvard has been hacked. Most recently the its Institute of Politics website was breached, with pro-Palestinian group AnonGhost claiming responsibility. More generally, universities and institutions are becoming more common targets for breaches, according to Privacy Rights Clearinghouse — beyond the bigger overall growth in attacks we’ve seen globally. Back in 2012, a group called Team GhostShell claimed to hack 100 universities’ systems, including that of Harvard. Last year, systems at Johns Hopkins University and the University of Maryland were breached.