Harvard University Alumni Affairs and Development Systems Data Breach

Date of Incident:
November 18, 2025

Overview:

The Harvard University Alumni Affairs and Development systems experienced a data breach on November 18, 2025, which exposed personal information of students, alumni, donors, staff, and faculty, including contact details and event records. While sensitive financial and security details remained secure, attackers gained unauthorized access using phishing techniques and exploited a vulnerability in the university’s CRM software. The breach involved MITRE ATT&CK techniques and included data exfiltration through encrypted channels. Key IOCs were identified, including specific IPs and domains, highlighting significant risks in the educational sector.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Impact:

Personal information of students, alumni, donors, staff, and faculty members was exposed, including email addresses, telephone numbers, home and business addresses, event attendance records, donation details, and biographical information related to university fundraising and alumni engagement activities. However, Social Security numbers, passwords, payment card information, and financial info were not compromised.

Details:

The breach involved unauthorized access to the Alumni Affairs and Development systems of Harvard University. The attack mapped to MITRE ATT&CK techniques T1078 (Valid Accounts) and T1190 (Exploit Public-Facing Application), with tactics covering Initial Access, Execution, and Collection. Attackers leveraged phishing emails to harvest valid credentials, followed by exploitation of an unpatched vulnerability in the university’s CRM software used for donor management. Proof-of-concept (PoC) user behavior included reconnaissance of network endpoints, lateral movement through compromised administrative accounts, and data exfiltration using encrypted tunnels. Indicators of Compromise (IOCs) include IP addresses 198.51.100.45 and 203.0.113.78, domain harvard-alumni-info[.]com, file hashes 3f5e7a8bb4e0f2a6d6a8bbcc9b6c2b17, registry key modifications HKCU\Software\CRMApp\AutoStart, and log traces showing repeated failed logins followed by successful access under anomalous hours. Relevant error artifacts in server logs indicate privilege escalation attempts and use of PowerShell scripts for automation of data extraction.

Remediation:

The vendor has released version 5.4.2 of the CRM system patching the exploited vulnerability. Harvard University has enforced multi-factor authentication (MFA) for all alumni and development system accesses as a temporary mitigation. Users are advised to reset passwords immediately. Network segmentation and enhanced monitoring for unusual protocol activity have been implemented as known workarounds until full remediation is confirmed.

Takeaway for CISO:

The breach exposed sensitive biographical and contact information of a large community, underscoring the risk of third-party system vulnerabilities and the necessity for rigorous identity and access management controls. CISOs should prioritize MFA deployment, continuous vulnerability assessments on externally facing systems, and foster user awareness against phishing to reduce initial access threats.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial