Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/2/2015
03:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Harvard Suffers Data Breach Spanning Multiple Schools, Administration Networks

Investigation so far shows email and system login info may have been compromised, university says.

A data breach at Harvard University appears to have exposed system and email passwords belonging to an unspecified number of faculty, staff, and students from numerous schools and at least one major administrative network at the university.

Harvard discovered the intrusion on June 19 but publicly disclosed it only Thursday while it worked to mitigate the issue. A statement disclosing the breach said Harvard discovered an intrusion into the Faculty of Arts and Sciences (FAS) network and another one at the university Central Administration network.

The FAS is Harvard’s largest division, according to the university. It encompasses several schools including Harvard College, the Graduate School of Arts and Sciences, the School of Engineering and Applied Sciences, and the Division of Continuing Education. Also part of FAS is several libraries and museums and Harvard’s athletics division.

In addition to those on the FAS network, others whose data was compromised include people at Harvard Divinity School, the Radcliffe Institute for Advanced Study, and the Harvard T.H. Chan School of Public Health and other schools.

Though Harvard’s statement and accompanying FAQ are sparse on the details, the university's advice to affected parties suggests that not everyone was impacted in exactly the same manner. Those with a login to FAS, the Divinity School, Central Administration, and Radcliffe Institute for Advanced Study, for instance, were asked to change the passwords associated with both their Harvard system and their email accounts.

Meanwhile, victims from the Graduate School of Design, Harvard Graduate School of Education, Harvard John A. Paulson School of Engineering and Applied Sciences, and Harvard T.H. Chan School of Public Health, were asked only to change passwords to their Office 365 or Icemail university email service accounts.

The university also instructed those affiliated with the affected networks to update all devices synched with their Harvard account with the new password.

In the breach disclosure statement, Harvard provost Alan Garber and its executive vice president Katie Lapp said that no personal or research data appears to have been compromised. Though passwords to individual systems appear to have been compromised in some cases, there is no indication that credentials in the university’s core PIN System was compromised, they said.

Those affiliated with the Harvard Business School, Harvard Kennedy School, Harvard Law School, Harvard Medical School, and Harvard School of Dental Medicine, were not impacted in the breach.

This is the second time in recent months that Harvard has had to deal with an intrusion into its networks. In April, a group of hackers claiming a pro- Palestinian agenda defaced the website of Harvard’s Institute of Politics. The intrusion resulted in the hackers replacing the site’s usual web page with various propaganda images and messages for a total of about 35 minutes before the site was taken offline.

Academic institutions generally have a poor reputation for information security. Security vendor BitSight Technologies, which rates different industries on their security posture, gives the education sector the lowest score based on its analysis of data gathered from sensors around the globe. The company looks at data like indicators of compromise, infected machines, and improper configuration, to calculate credit-rating-like scores for different industries. In its latest index, the median security score for Education is just 550 -- compared to 710 for the financial services industry.

Somewhat surprisingly enough, though, there haven’t been too many publicly reported instances of major intrusions at universities in recent months. In fact, since the beginning of this year, there have been just 6 publicly reported breaches at academic institutions, according to the Privacy Rights Clearinghouse.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Paladium
50%
50%
Paladium,
User Rank: Moderator
7/10/2015 | 10:02:33 AM
Re: A "hack" indeed
You should see what the U of Michigan's security looks like.  Very, very sad state of affairs currently.  I've seen spunges with more security.  However, there appears to be a new breed of security leadership at the UofM.  I hope they can overcome the culture of "anything goes".  They also need to stop the practice of employees being allowed to have a personel folder on their workstations where NO ONE, including security staff, are allowed to look at.  If caught you could face disciplinary actions, up to and including termination for cause. Things may have changed, but that was the way it was when I spent some time there.  Just imagine if some sicko was storing child porn in his "personal" folder.  Since no one is allowed to look in there, there would be no way to detect it.  Liberal madness at its finest...

But let me state again that this was the way it was several years back.  Things may have changed, or are changing for the better.  Cudo's and good luck to the IT and Security staff fighting the good fight at UofM.  Changing the security culture of any organization is a slow and usually thankless job...
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/3/2015 | 10:59:25 AM
A "hack" indeed
What do you wanna bet it's MIT kids?  ;)
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd