A seventeenth-century university has become the victim of a twenty-first-century crime. Harvard University on Wednesday announced that on June 19, it discovered a breach in the IT systems of its Faculty of Arts and Sciences and Central Administration, currently impacting eight different schools and administrative organizations at the university.
A copy of the memo from Anne Margulies, VP and Harvard’s CIO, announcing the intrusion to one of the groups affected, students in the Graduate School of Arts and Sciences, is copied at the end of this post. It was quietly sent out in the evening on July 1 — not “burying the news on a Friday afternoon” time but also not at a peak time, either.
“At this time, we have no indication that research data or personal data managed by Harvard systems (e.g. social security numbers) have been exposed. There is no indication that PIN credentials, used to access University systems and web resources, have been exposed,” the university IT team notes on a website it set up with information it’s making public about the breach and help and guidelines for people who are affected.
However, it also added that “it is possible that Harvard login credentials (computer and email passwords, including Office 365) stored on the compromised FAS and Central Administration networks have been exposed.” They also added that currently they do not believe Harvard email has been exposed.
People affiliated with the eight affected organizations have been asked to change their passwords and update access across all devices synced to Harvard accounts.
They are the Faculty of Arts and Sciences, Harvard Divinity School, Radcliffe Institute for Advanced Study, Central Administration, Graduate School of Design, Harvard Graduate School of Education, Harvard John A. Paulson School of Engineering and Applied Sciences, and Harvard T.H. Chan School of Public Health.
Students and staff at the Harvard Business School, Harvard Kennedy School, Harvard Law School, Harvard Medical School, and Harvard School of Dental Medicine have been told that they do not need to take any action at this point. A further list of systems that are unaffected can be found here.
The breach comes at a sensitive time in IT security, specifically as it pertains to high-profile government and institutional systems.
In June, it emerged that the U.S. Office of Personnel Management, which manages the civil service of the federal government and covers areas like security clearances, had suffered a breach that could have affected four million records, but might have potentially also included the theft of up to 18 million unique social security numbers. The U.S. currently says China is the leading suspect for the attack.
We have contacted Harvard to ask if its own intrusion is in any way connected to the OPM hack, along with other questions about the nature of the intrusion, and will update as we learn more. (Update: Harvard has referred us to the website it has set up, which is not yet providing any further details on the intrusion itself.)
In the meantime, the university has posted a FAQ page about the breach. In it Harvard does not go into details about the breach itself or what techniques were used. It notes that it’s now using “enhanced security measures” to protect its systems.
It has also notified federal law enforcement and is currently working with an (unnamed) external cybersecurity firm on a thorough forensic investigation to figure out what happened.
The university also comments on the delay until late Wednesday to notify people of the intrusion. It spoke up “as soon as we were confident that notification would not jeopardize our efforts to secure systems and limit damage from the intrusion, potentially making the situation much more difficult to resolve.”
This is not the first time Harvard has been hacked. Most recently the its Institute of Politics website was breached, with pro-Palestinian group AnonGhost claiming responsibility.
More generally, universities and institutions are becoming more common targets for breaches, according to Privacy Rights Clearinghouse — beyond the bigger overall growth in attacks we’ve seen globally.
Back in 2012, a group called Team GhostShell claimed to hack 100 universities’ systems, including that of Harvard. Last year, systems at Johns Hopkins University and the University of Maryland were breached.
Memo below.
Dear Graduate School of Arts and Sciences students,
On June 19, Harvard discovered an intrusion on the Faculty of Arts and Sciences and Central Administration information technology networks.
Since discovering this intrusion, Harvard has been working with external information security experts and federal law enforcement to investigate the incident, protect the information stored on our systems, and strengthen IT environments across the University.
At this time, we have no indication that personal data or research data have been exposed. It is possible that Harvard logins used to access your University account have been exposed.
Action Needed
In order to further secure your data, the University is asking that students from Graduate School of Arts and Sciences change the password associated with your Harvard email account. Instructions on how to change your password are available at security.harvard.edu/passwordhelp.Please follow the instructions “Users in FAS” on the website http://security.harvard.edu/passwordhelp#change-fas.
Password changes may be required again at a later time as the University takes further steps to enhance security.Support Available
Step-by-step instructions for changing your password are available at security.harvard.edu/passwordhelp.
24/7 IT support is also available through the IT Help Desk at ithelp@harvard.edu or (617) 495-7777.
To avoid delays on the system during peak hours, we recommend changing your password between 8PM – 7AM if possible.While Harvard University Information Technology (HUIT) has substantially increased IT Help Desk resources to assist the community, longer wait times should be expected. Your patience is greatly appreciated.
Additional Information
Additional information, including FAQs, is available on the Harvard Information Security website at security.harvard.edu/cyber-alert. As always, if you receive questionable emails or phone calls asking for your account information, do not respond. Instead, please contact the IT Help Desk for guidance.We continue to monitor the situation closely and will update the community if further action is required.
Sincerely,
Anne Margulies
Vice President and University Chief Information Officer