Full Report
Harvard University and the University of Pennsylvania (UPenn) have more in common than just being Ivy League universities. Both suffered data breaches involving donor information, and their stolen data was leaked. Harvard On November 18, Harvard discovered that its Alumni Affairs and Development information had been attacked as a result of a phone-based phishing attack.... Source
Analysis Summary
# Incident Report: Ivy League Donor Data Breaches (Harvard & UPenn)
## Executive Summary
Harvard University and the University of Pennsylvania (UPenn) both experienced significant data breaches involving sensitive donor and alumni information, which was subsequently leaked. Harvard's breach was attributed to a phone-based phishing attack discovered in November 2025, while UPenn's breach, which compromised over 1.2 million records, was resolved in late 2025. Both incidents expose high-wealth donor information, raising significant ethical concerns regarding potential related targeting.
## Incident Details
- **Discovery Date (Harvard):** November 18, 2025
- **Incident Date (Harvard):** Prior to November 18, 2025 (Result of a phishing attack)
- **Incident Date (UPenn):** Reported as an October 2025 cybersecurity breach (Specific date mentioned: October 31, 2025)
- **Affected Organization:** Harvard University and University of Pennsylvania (UPenn)
- **Sector:** Education
- **Geography:** USA (Implied due to Universities' locations)
## Timeline of Events
### Initial Access
- **Date/Time (Harvard):** Unknown, initiated via a phone-based phishing attack.
- **Vector (Harvard):** Phone-based phishing attack.
- **Details (Harvard):** The attack targeted the Alumni Affairs and Development information systems.
- **Date/Time (UPenn):** Around October 31, 2025.
- **Vector (UPenn):** Cybersecurity breach (Specific vector not detailed in the source).
### Lateral Movement
- Not explicitly detailed for either incident in the provided text.
### Data Exfiltration/Impact
- **Harvard:** Stolen data included personal information such as email addresses, telephone numbers, home/business addresses, event attendance, donation details, fundraising/alumni engagement communications, and information on donors, alumni, and their associates (spouses, parents, etc.).
- **UPenn:** Data compromise involved over 1.2 million University students, alumni, and donors.
### Detection & Response
- **Harvard:** Discovered on November 18, 2025. The FAQ was last updated on December 19, 2025. The university stated it would assess the need for specific notifications.
- **UPenn:** Investigation concluded "last month" (relative to Feb 4, 2026). The university stated they sent notifications to the "limited number of individuals" whose personal information was impacted as required by law, despite potentially compromising over 1.2 million records. UPenn's incident webpage was later removed, showing a 404 error.
## Attack Methodology
- **Initial Access (Harvard):** Phishing (Phone-based).
- **Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, Impact (General):** Not detailed specifically, but resulted in the leakage of donor/alumni data.
- **Impact (Ethical/Reputational Note):** Leaked data included wealth information linked to names, suggesting high risk for subsequent targeted phishing/vishing on high-wealth donors.
## Impact Assessment
- **Financial:** Not specified.
- **Data Breach (Harvard Scope):** Personal information (email, phone, address, donation history, biographical info) for alumni, spouses, partners, donors, parents of students, some current students, and some faculty/staff.
- **Data Breach (UPenn Scope):** Compromised data for over 1.2 million students, alums, and donors.
- **Operational:** Not detailed.
- **Reputational:** Significant ethical questions arose regarding notification processes, data handling (especially wealth data), and UPenn's conflicting statements about review completion and notification scope.
## Indicators of Compromise
- *No specific, defanged Indicators of Compromise (IPs, hashes, domains) were provided in the source material.*
## Response Actions
- **Harvard:** Investigation initiated following discovery, information shared publicly via an FAQ page (as of Dec 19). Notification requirements were under assessment.
- **UPenn:** Conducted a "comprehensive review" of downloaded files, notified affected individuals as required by law, and subsequently removed the public incident webpage.
## Lessons Learned
- Phishing remains a potent vector even in highly secure environments (phone-based phishing specifically noted for Harvard).
- Universities face significant ethical ambiguity when data breaches involve high-value donor data, especially concerning the necessity and timing of proactive notification versus minimal legal compliance.
- Inconsistent or conflicting public statements regarding the scope of a breach and remediation (as seen with UPenn) severely damage institutional trust.
## Recommendations
- **Prevention Measures:** Implement heightened security training specifically targeting social engineering and vishing/phone-based phishing techniques for all employees handling sensitive development/alumni data.
- **Data Handling:** Review data retention policies for high-wealth donor profiles. Even if legally safe, proactively notify high-risk individuals of data compromise due to the increased risk of targeted fraud.
- **Transparency:** Establish clear, legally compliant, and ethically sound procedures for immediate notification to affected parties, maintaining consistent, substantive updates throughout the investigation lifecycle.