A Harvard Graduate School of Arts and Sciences (GSAS) Web server that contained summaries of GSAS applicant data for entry to the Fall 2007 academic year, summaries of GSAS housing applicant data for the 2007-08 and 2006-07 academic years, and administrator information was hacked by an outsider and compromised in a way that the data on the server could have been viewed or copied. The GSAS site was taken down from Feb. 17 until Feb. 21 in order to investigate the incident and to improve security.
The University’s initial examination did not reveal the full extent of the hack. As the investigation continued, it became apparent that some sensitive applicant data, including Social Security numbers, could potentially have been accessed. The University has informed the GSAS community, and has apologized for the error. At Harvard’s expense, identity theft recovery services are being made available to the people who might be potentially affected.
Guarding against hacking is a constant battle as hackers continue to challenge and occasionally breach security systems. Harvard has taken and will continue to take steps to protect its servers as well as possible.
“Protecting personal information is something Harvard takes seriously, and we are truly sorry for the inconvenience and concern this incident may cause,” said Margot N. Gill, administrative dean of the GSAS. “We are notifying and apologizing to the affected individuals and making identity theft recovery services available to them at our expense. Please be assured that we are taking steps to do what we can to prevent future incidents of this kind.”
The server contained summaries of data from approximately 10,000 applicants for admission and housing that were used by GSAS administrators during the admissions process and to match students with housing. There were approximately 6,600 summaries from admissions candidates from the United States consisting of each applicant’s name, Social Security number, date of birth, address, e-mail address, phone numbers, test scores, previous school attended, and school records. The remainder of the admissions data did not involve Social Security numbers. There were approximately 500 summaries of housing application data that included Harvard University ID numbers. A small number of housing application summaries (13) contained information about personal health issues such as food allergies.
Because the University could not rule out the possibility that all of the information on this server was copied and distributed more broadly, notifications are being sent to all persons who may have been affected by this incident. In situations where applicants’ Social Security numbers or Harvard University ID numbers may have been accessed, the notifications provide contact information for free use of the services provided by Kroll Inc. At Harvard’s expense, Kroll is helping potentially affected persons obtain copies of their credit reports, set up credit-monitoring services and fraud alerts, and take other steps to protect themselves.