Harvard University has disclosed a vishing attack that exposed the personal information of students, parents, alumni (and some of their spouses, partners), donors, staff, and faculty members.
Exposed data includes “biographical information pertaining to University fundraising and alumni engagement activities” as well as emails, phone numbers, home and business addresses, attendance records, and donation details.
The University said it acted immediately to remove the actor’s access to its systems and prevent further unauthorized access. “Our investigation is currently ongoing. We are working with third-party cybersecurity experts and law enforcement to investigate this incident. This website will be updated.”
Harvard said it is working with third-party cybersecurity experts and law enforcement to investigate this incident.
In a statement, it said: “Though the information systems that were accessed do not generally contain Social Security numbers, passwords, payment card information, or financial account numbers, they do include personal information such as email addresses, telephone numbers, home and business addresses, event attendance, details of donations to the University, and other biographical information pertaining to University fundraising and alumni engagement activities.”
Be Alert For Unusual Communications
As the investigation continues, Harvard said will assess if specific notifications are needed.
“We encourage you to be on alert for any unusual communications that purport to come from the University, particularly those asking for sensitive information,” it added, advising people to:
- Pause before you engage. Be especially cautious with unexpected calls, text messages, or emails requesting sensitive information or asking you to reset your password, even if they appear to come from colleagues or trusted partners.
- Verify unusual requests. If something seems off, do not use the contact information provided in the message or call. Verify the request through a trusted source before responding.
In a separate incident in October, Harvard confirmed that it was a victim of a data breach after the Clop ransomware gang added it to its data-leak extortion site, claiming it had breached the school’s systems using the zero-day vulnerability in Oracle’s E-Business Suite servers.
This ransomware actor has been exploiting the zero-day flaw (CVE-2025-61882) since early August 2025 to steal sensitive files from many victims’ Oracle EBS platforms, targeting The Washington Post, Logitech, GlobalLogic, and American Airlines subsidiary Envoy Air, with their data also leaked online and now available for download via Torrent.
Dartmouth College also found itself in the crosshairs of this gang, and also disclosed a data breach following the Clop gang’s data leak, which stole the personal information of 1,494 individuals. However, the total number impacted by this breach is expected to be much higher, as the school has not yet filed breach notices with other states.
Through the investigation, Dartmouth determined that an unauthorized actor took certain files between 9 and 12 August 2025. “We reviewed the files and on 30 October 2025, identified one or more that contained your name and Social Security number,” the college says in letters mailed to individuals affected by the data leak.”
Dartmouth said that the malefactors also stole documents containing the financial account information of impacted individuals.
These Databases Are Goldmines
Michael Bell, Founder & CEO of Suzu Labs, said: “What’s striking about the Harvard and Dartmouth breaches is that two completely different attack vectors (vishing and Oracle EBS zero-day exploitation) successfully targeted the same type of data at similar institutions within weeks, demonstrating that alumni and donor databases are being systematically targeted through multiple methods simultaneously. These databases are gold mines: they contain high-net-worth individuals’ contact information, giving history that reveals financial capacity, and relationship networks enabling sophisticated social engineering and fraud.”
According to him, organizations with donor databases need to assume they’re under attack from multiple vectors at once and implement both technical controls (patching legacy systems like Oracle EBS) and human-layer defenses (security awareness training for development staff handling sensitive donor relationships).
The Convergence of Risks
John Carberry, Security Sleuth, at Xcape Inc, added that these two events underscore the complex and multifaceted threats facing universities that hold valuable data.
“Harvard fell victim to a voice phishing attack, which compromised its Alumni Affairs systems and exposed contact and donation information, a low-tech method that yielded high-value financial espionage. Dartmouth, in contrast, was targeted by the Cl0p ransomware gang, who exploited a zero-day vulnerability (CVE-2025-61882) in the Oracle E-Business Suite to steal sensitive files containing Social Security numbers and financial data.”
Carberry said: “These events highlight the convergence of risks: identity compromise through phone calls or social engineering and ERP integrations that make business systems vulnerable. To mitigate these risks, universities should implement phishing-resistant MFA, strong SSO, rigorous help-desk verification processes, strict least-privilege access controls for advancement and ERP connectors and monitor for unusual API usage or bulk data exports – along with rapid token and key rotation after any suspected breach.”
He said donors and alumni should anticipate targeted fraud and phishing attempts and should consider credit freezes for added security. “When a phone call or an integration can unlock your donor vault, identity, not just endpoints, is the new campus perimeter.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.