Harvard University has started notifying members of its community, including alumni, students, and staff, about a data breach that exposed their personal information. The security incident originated not within Harvard’s own systems, but with a third-party software provider named Cvents, which is used by various university departments for managing events and engagement activities.

According to the notification letter issued by Harvard, the exposed data includes names, contact information, dates of birth, and certain demographic details. For what was described as a “very small number of individuals,” the compromised information also included Social Security numbers and financial account information.

Breach Discovery and Notification Timeline

The unauthorized access to Cvents’ systems was first discovered by the vendor on April 29, 2024. Cvents then informed Harvard about the security incident on May 16, 2024. Following its own investigation, Harvard University began sending out data breach notification letters to the affected individuals on June 13, 2024. The breach specifically impacted a legacy “classic” events system used by Cvents.

University Response to Exposed Data

In response to the incident, Harvard University is taking steps to support those affected. For the individuals whose Social Security numbers or financial account information were confirmed to be involved in the breach, the university is offering two years of complimentary identity theft protection services through Experian. This measure is intended to help safeguard the identities of the most impacted members of the community. The Cvents security incident affected multiple organizations, with a filing to the Maine Attorney General’s Office indicating over 12,000 individuals were impacted across its customer base.

Source: https://www.securityweek.com/alumni-student-and-staff-information-stolen-from-harvard-university/