Executive Summary

On November 22, 2025, Harvard University announced a data breach within its Alumni Affairs and Development Office, which was first detected on November 18. The breach resulted from a phone-based phishing (vishing) attack, allowing an unauthorized actor to access systems storing personal information and donation records of university donors and affiliates. The university has since secured its systems and engaged third-party cybersecurity experts and law enforcement to investigate the full scope of the incident. This attack is part of a broader trend targeting the fundraising arms of major universities, with similar incidents recently reported at Princeton University and the University of Pennsylvania.

Threat Overview

An unauthorized party gained access to the information systems of Harvard's Alumni Affairs and Development Office through a vishing attack. This social engineering technique involves deceiving an employee over the phone to gain credentials or access. The breach was discovered on November 18, 2025, after which the university took immediate action to revoke the attacker's access.

The compromised systems contained a range of personally identifiable information (PII), including:

• Names
• Email addresses
• Telephone numbers
• Home and business addresses
• Donation details and history
• Records of event attendance

University officials have stated that the systems do not typically store highly sensitive information such as Social Security numbers, financial account details, or passwords. However, the exposed data is sufficient for launching further targeted phishing campaigns, identity fraud, or social engineering attacks against affluent donors. The incident highlights a coordinated effort by threat actors to target the fundraising and alumni relations departments of Ivy League schools, which are perceived as holding valuable data on influential and wealthy individuals.

Technical Analysis

The primary attack vector was Social Engineering, specifically phone-based phishing or 'vishing'. The threat actor likely impersonated a trusted individual, such as a university employee, IT support staff, or a prominent donor, to trick an employee into divulging credentials or providing remote access.

MITRE ATT&CK Techniques

• T1598.001 - Phishing for Information: Spearphishing Voice: The core of the attack, using voice communication to elicit information or manipulate the target.
• T1078 - Valid Accounts: Once credentials were stolen, the attacker likely used them to gain legitimate access to the university's systems.
• T1003 - OS Credential Dumping: After initial access, the attacker may have attempted to dump credentials to move laterally or escalate privileges.
• T1021 - Remote Services: The attacker may have used remote services like VPN or RDP to access the internal network with the stolen credentials.
• T1048 - Exfiltration Over Alternative Protocol: The attacker likely exfiltrated the donor data over encrypted channels to avoid detection.

Impact Assessment

The immediate impact is the exposure of personal and financial (donation-related) information of Harvard's donors and affiliates. This breach poses a significant reputational risk to the university and erodes trust within its donor community. The exposed data could be sold on dark web forums or used for highly targeted spear-phishing campaigns against wealthy individuals. The coordinated nature of attacks on multiple universities suggests a well-organized threat actor who may be compiling a large database for financial fraud or espionage purposes. Financially, the university will incur costs related to the investigation, system remediation, legal fees, and potential regulatory fines.

Cyber Observables for Detection

Organizations can hunt for similar threats by monitoring for:

Detection & Response

• User Behavior Analytics (UBA): Deploy UBA solutions to detect anomalous account behavior, such as logins from unfamiliar locations, accessing unusual amounts of data, or activity outside of normal working hours. This aligns with D3FEND's D3-LAM - Local Account Monitoring.
• Enhanced Logging and Monitoring: Ensure comprehensive logging is enabled for all critical systems, especially CRM and database applications. Forward logs to a centralized SIEM for correlation and alerting on suspicious activities.
• Incident Response Playbook: Activate the incident response plan for data breaches. This should include isolating affected systems, preserving evidence, and communicating with stakeholders as guided by legal counsel.

Mitigation

• M1017 - User Training: Implement a continuous security awareness program with a strong focus on identifying social engineering and vishing attacks. Conduct regular phishing simulations (including vishing) to test and reinforce employee knowledge. This is a form of D3FEND's D3-ACH - Application Configuration Hardening by hardening the 'human firewall'.
• M1032 - Multi-factor Authentication: Enforce MFA on all remote access services, cloud applications, and critical internal systems. This would have likely prevented the attacker from using stolen credentials. This directly maps to D3FEND's D3-MFA - Multi-factor Authentication.
• M1026 - Privileged Account Management: Implement the principle of least privilege. Ensure users only have access to the data and systems absolutely necessary for their job functions. Regularly review and audit user permissions.
• Verification Protocols: Establish strict out-of-band verification protocols for any requests involving sensitive data access or system changes. For example, any phone-based request for a password reset must be verified via a separate, trusted communication channel like an employee's HR-registered mobile number.