Harvard University announced that on June 19 an intrusion was discovered on the Faculty of Arts and Sciences (FAS) and Central Administration information technology networks, and that Harvard login credentials may have been exposed.
The login credentials stored on the compromised networks are computer and email passwords, including Office 365, and as a result, Harvard is requiring some members of the community to change their passwords, a FAQ said.
Those who are part of the FAS, Harvard Divinity School, Radcliffe Institute for Advanced Study, or Central Administration must change the password associated with their Harvard accounts, as in computer login and email accounts.
Those who are part of the Graduate School of Design, Harvard Graduate School of Education, Harvard John A. Paulson School of Engineering and Applied Sciences, or Harvard T.H. Chan School of Public Health must change their email password, as in Office 365 or Icemail.
There has been no indication that personal data, research data, or PIN System credentials have been exposed, the FAQ noted, adding that password changes will be required again at a later date as Harvard takes steps to improve its security.
“Since discovering this intrusion, Harvard has been working with external information security experts and federal law enforcement to investigate the incident, protect the information stored on our systems, and strengthen IT environments across the University,” a cyber alert signed by Alan Garber, Provost of Harvard University, and Katie Lapp, executive VP of Harvard University, said.
When reached for additional information, Harvard referred SCMagazine.com to the security advisories, indicating it is all the information that is known at this time.
In a statement emailed to SCMagazine.com on Thursday, Sergio Galindo, GM of GFI Software, said that attackers are easily able to gain entry into university IT systems because many are dated and unsupported.
“Due to a mixture of inertia, cost/spend aversion, and budget priorities, university and other IT decision makers often try to stretch IT assets beyond what's advisable,” Galindo said. “All of these factors – on their own, and collectively – increase the likelihood that hackers will exploit the insecurities and vulnerabilities of a relatively unsupported system to gain access.”