Last month Harvard University uncovered “an intrusion” on its computer networks, the school disclosed late Wednesday.
The discovery, which was made June 19, affects two IT systems that impact eight colleges and administrations, the school says. These include the Faculty of Arts and Sciences, Harvard Divinity School, Radcliffe Institute for Advanced Study, Central Administration, the Graduate School of Design, Harvard Graduate School of Education, Harvard John A. Paulson School of Engineering and Applied Sciences, or Harvard T.H. Chan School of Public Health.
Meanwhile, the Harvard Kennedy School as well as Harvard’s business, law, medicine, and dental schools, appear to be unaffected by the breach.
Anyone associated with the first four groups listed above should change the password to their school network login, the university recommends. People affiliated with the next four groups should instead change the password, the school says, to their university email account, a service powered by Microsoft MSFT Exchange.
Don’t expect that new passcode to last long though. The school notes that it will require a future password refresh as well: “Password changes will be required again at a later time as the University takes further steps to enhance security,” per a letter from Provost Alan Garber and executive vice president Katie Lapp.
Harvard’s administration says it is as yet uncertain about what data has been stolen. “It is possible that Harvard login credentials (computer and email passwords, including Office 365) stored on the compromised [Faculty of Arts and Sciences] and Central Administration networks have been exposed,” the letter says, before urging the password changes detailed above.
The administration notes that it has “no indication that research data or personal data managed by Harvard systems (e.g. social security numbers) have been exposed,” nor that “PIN credentials, used to access University systems and web resources, have been exposed,” nor that Harvard emails have been exposed.
In a FAQ accompanying the news, the school says that upon learning of the breach, it “implemented enhanced security measures to protect University data and systems. In addition, we notified federal law enforcement and engaged an external cybersecurity firm to conduct a thorough investigation, which is currently underway.”
The school says it delayed disclosing the incident so it could shore up defenses and minimize damage. “We notified the community as soon as we were confident that notification would not jeopardize our efforts to secure systems and limit damage from the intrusion, potentially making the situation much more difficult to resolve,” the FAQ states.
In June, the U.S. Office of Personnel Management revealed hat it had succumbed to what could be the biggest known data breach in government history. James Clapper, the nation’s top intelligence boss, says that he believes China is responsible for the federal agency’s hacking, which may affect millions of workers’ sensitive personal information and government background investigation records.
When the news outlet TechCrunch asked Harvard whether the two events are linked, the school redirected a reporter to its websites containing information about the breach, but which contain no technical details about the attack itself.
Earlier this year, Pennsylvania State University’s college of engineering said it had suffered years-long data breaches that forensic investigators at the cybersecurity firm FireEye FEYE have, as in the OPM breach, traced to China. Last year both Johns Hopkins University and the University of Maryland announced that they had fallen victim to data breaches, too.
This is not Harvard’s first cyber incident, TechCrunch notes. The universiy was targeted earlier this year with a website defacing believed to be the work of a hacker group called AnonGhost. And the some of the school’s servers were reportedly targeted by another hacker group called GhostShell in 2012.
Correction: An earlier version of this story misstated the date of Harvard’s breach discovery as July 19. The correct date is June 19.
