A data breach at Harvard University appears to have exposed system and email passwords belonging to an unspecified number of faculty, staff, and students from numerous schools and at least one major administrative network at the university.
Harvard discovered the intrusion on June 19 but publicly disclosed it only Thursday while it worked to mitigate the issue. A statement disclosing the breach said Harvard discovered an intrusion into the Faculty of Arts and Sciences (FAS) network and another one at the university Central Administration network.
The FAS is Harvard’s largest division, according to the university. It encompasses several schools including Harvard College, the Graduate School of Arts and Sciences, the School of Engineering and Applied Sciences, and the Division of Continuing Education. Also part of FAS is several libraries and museums and Harvard’s athletics division.
In addition to those on the FAS network, others whose data was compromised include people at Harvard Divinity School, the Radcliffe Institute for Advanced Study, and the Harvard T.H. Chan School of Public Health and other schools.
Though Harvard’s statement and accompanying FAQ are sparse on the details, the university's advice to affected parties suggests that not everyone was impacted in exactly the same manner. Those with a login to FAS, the Divinity School, Central Administration, and Radcliffe Institute for Advanced Study, for instance, were asked to change the passwords associated with both their Harvard system and their email accounts.
Meanwhile, victims from the Graduate School of Design, Harvard Graduate School of Education, Harvard John A. Paulson School of Engineering and Applied Sciences, and Harvard T.H. Chan School of Public Health, were asked only to change passwords to their Office 365 or Icemail university email service accounts.
The university also instructed those affiliated with the affected networks to update all devices synched with their Harvard account with the new password.
In the breach disclosure statement, Harvard provost Alan Garber and its executive vice president Katie Lapp said that no personal or research data appears to have been compromised. Though passwords to individual systems appear to have been compromised in some cases, there is no indication that credentials in the university’s core PIN System was compromised, they said.
Those affiliated with the Harvard Business School, Harvard Kennedy School, Harvard Law School, Harvard Medical School, and Harvard School of Dental Medicine, were not impacted in the breach.
This is the second time in recent months that Harvard has had to deal with an intrusion into its networks. In April, a group of hackers claiming a pro- Palestinian agenda defaced the website of Harvard’s Institute of Politics. The intrusion resulted in the hackers replacing the site’s usual web page with various propaganda images and messages for a total of about 35 minutes before the site was taken offline.
Academic institutions generally have a poor reputation for information security. Security vendor BitSight Technologies, which rates different industries on their security posture, gives the education sector the lowest score based on its analysis of data gathered from sensors around the globe. The company looks at data like indicators of compromise, infected machines, and improper configuration, to calculate credit-rating-like scores for different industries. In its latest index, the median security score for Education is just 550 -- compared to 710 for the financial services industry.
Somewhat surprisingly enough, though, there haven’t been too many publicly reported instances of major intrusions at universities in recent months. In fact, since the beginning of this year, there have been just 6 publicly reported breaches at academic institutions, according to the Privacy Rights Clearinghouse.