HARVARD University and the University of Pennsylvania (UPenn) have both suffered data breaches affecting donor information, with leaked data reportedly including donor names, addresses, donation histories and related biographical details.
Harvard said the incident stemmed from a phone-based phishing attack on Alumni Affairs and Development, and its FAQ notes that the system generally contains personal information such as emails, addresses, event attendance and donation details, while indicating that many records do not contain data that would require personal notification letters.
UPenn’s breach, attributed to the ShinyHunters threat group, allegedly gave access to a employee’s PennKey SSO account and access to VPN, Salesforce, Qlik, SAP and SharePoint data, with claims that around 1.2 million records were involved. The university reportedly told a court that only 10 individuals needed to be notified, though DataBreaches notes that this contradicts other reporting; according to Bleeping Computer, the breach affected roughly 1.2 million students, alumni and donors.
In the response, UPenn said they would notify affected individuals if required by applicable privacy regulations, as per a spokesperson, with the Massachusetts and Pennsylvania frameworks referenced as relevant considerations. The piece concludes by weighing ethical questions about notifying donors and the potential for targeting these wealthier individuals, regardless of strict notification requirements. according to Bleeping Computer