Harvard University and the University of Pennsylvania (UPenn) have more in common than just being Ivy League universities. Both suffered data breaches involving donor information, and their stolen data was leaked.
Harvard
On November 18, Harvard discovered that its Alumni Affairs and Development information had been attacked as a result of a phone-based phishing attack. Their webpage on the incident has not been updated since December 19, but in relevant part, their FAQ states that the system generally contains personal information such as email addresses, telephone numbers, home and business addresses, event attendance, details of donations to the University, and other biographical information about University fundraising and alumni engagement activities. This also includes information on fundraising, donors, and communications between alumni, donors, and the University.
In terms of who was affected, the FAQ identifies the following groups:
- Alumni
- Alumni spouses, partners, and widows/widowers of alumni
- Donors to Harvard University
- Parents of current and former students
- Some current students
- Some faculty and staff
Will they receive individual notification letters? Maybe. Or maybe not. The FAQ states, “As our investigation continues, we will assess if specific notifications are needed. ”
It has been more than 60 days since they discovered the breach, but the Massachusetts breach notification law does not mandate a specific deadline for notifying the state and affected consumers. Of note, Massachusetts defines “personal information” as the resident’s first name and last name or first initial and last name in combination with any 1 or more of the following data elements:
- Social Security number;
- driver’s license number or state-issued identification card number; or<
- financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number, or password, that would permit access to a resident’s financial account.
Harvard’s FAQ had stated that the affected systems generally did not contain Social Security numbers, passwords, payment card information, or financial account numbers. The elements that were reportedly involved do not trigger notification requirements. Of course, some individuals may have some of those elements, but it appears that many records do not contain data that would require personal notification letters, even if they include sensitive information about a donor’s wealth.
UPenn
According to Bleeping Computer, ShinyHunters — the same threat actors that attacked Harvard –“gained full access” to an employee’s PennKey SSO account, allowing access to Penn’s VPN, Salesforce data, Qlik analytics platform, SAP business intelligence system, and SharePoint files. On November 11, the university confirmed it had a breach at the end of October.
“They said they exfiltrated data for roughly 1.2 million students, alumni, and donors, including names, dates of birth, addresses, phone numbers, estimated net worth, donation history, and demographic details such as religion, race, and sexual orientation,” Bleeping Computer reported.
To the shock of some, UPenn allegedly told the court hearing a potential class action lawsuit that only 10 people needed to be notified. Only 10 people? ShinyHunters claimed 1.2 million records.
It may sound outrageous or suspicious, but Pennsylvania state law (BPINA) defines “personal information” that would trigger breach notification obligations as
- An individual’s first name or first initial and last name
and
- Any one or more of the following, not made publicly available:
- Social Security number;
- driver’s license number and/or state identification card number;
- financial account numbers;
- medical information in the possession of a State agency or State agency contractor;
- health insurance information; or
- user name or email address with password or security question and answer to allow access to an online account
As described, donor information may not trigger breach notification requirements. Still, student data that includes Social Security numbers would trigger BPINA notification requirements, even though FERPA does not require notification.
In a statement sent to DataBreaches today in response to an inquiry asking whether they had really claimed only 10 people were notified, a spokesperson for UPenn wrote, “We are analyzing the data and will notify any individuals if required by applicable privacy regulations.”
That sounded reasonable until I discovered that two days ago, they had claimed they had already completed their investigation. Aidan Shaughnessy reported:
Penn resolved its investigation into an October 2025 cybersecurity breach — which reportedly compromised the data of over 1.2 million University students, alums, and donors — last month.
According to a University spokesperson, Penn completed a “comprehensive review” of the Oct. 31 incident and notified affected individuals. The University’s webpage about the data breach — which previously offered community guidance — now displays a 404 error.
“Penn conducted a comprehensive review of the downloaded files to determine whose information may have been involved. That review is now complete,” the University spokesperson wrote. “Penn sent notifications to the limited number of individuals whose personal information was impacted as required by applicable notification laws.”
When asked why only 10 were notified, they claim they are analyzing the data, even though they previously said they had completed their comprehensive review. Their webpage about the incident was removed, and there has been no substantive update with details.
Got Ethics?
Over on infostealers[.]com, Alon Gal describes the sensitivity of the material in the Harvard University breach and the ethical issues surrounding “admission holds” revealed in the leak.
DataBreaches would add two additional ethical issues arising from the breaches.
Both data tranches contain donor data, including wealth information linked to names. High-wealth donors whose information has been leaked will likely be targeted by phishing or vishing attempts.
Even if the state laws do not require notification, should the universities notify donors (“in an abundance of caution,” as some might say)?
What is the ethical way for the universities to deal with these breaches to protect those whose data has been acquired and to protect and restore trust if state law does not require notification?
And how ethical or unethical is it for a university to claim they are analyzing the data after previously claiming on the record that their comprehensive review had been completed and people who needed to be notified were?