Students’ Information Compromised by Data Breach at Harvard Business School

Harvard Business School is working to respond to a data breach that compromised students’ personal information, including some social security numbers and exam submissions.

HBS Chief Information Officer Ronald “Ron” S. Chandler initially announced the breach in an email to school affiliates on Jan. 11.

Chandler wrote that the Business School was notified by a software vendor of unauthorized access to its files on Dec. 29, after which the school launched an investigation. The investigation found that one or more “unauthorized third parties” had downloaded “files containing personal information” between Dec. 21 and Dec. 23.

In a follow-up email to affected students on Feb. 10, HBS Information Security Officer and Managing Director of IT Compliance Christopher “Chris” W. Pringle confirmed that some affiliates’ social security numbers had been compromised, in addition to other personal information — such as names, contact information, date of birth, course enrollments, and exam submissions.

Brian C. Kenny, a spokesperson for the Business School, wrote in an emailed statement Wednesday that HBS had been informed of the software vulnerability prior to Dec. 29, and had accepted a “software patch” that the vendor provided.

The vendor also notified HBS on Jan. 20 of another vulnerability in its software “for which there was no patch available,” which may also have exposed additional files, per Kenny.

“After applying a patch from the vendor in December, HBS has since discontinued use of the vulnerable software altogether and is coordinating with local and federal law enforcement to further investigate the incident,” Kenny wrote.

An MBA student affected by the incident who was granted anonymity by The Crimson due to the theft of their personal information, called the situation a “huge breach in trust between students and HBS.”

The student also said the Business School should be “more proactive and communicative” with affected students, noting that he has not yet heard back from the IT Department or the Student Association at HBS on specifics of the incident.

Kenny declined to comment on the scope of the breach, but wrote that HBS is “in the process of notifying individuals as required by law” and will make “certain voluntary notifications where it deems appropriate.”

The Business School plans to provide information about “what steps to take to safeguard against identity theft,” and will also offer 24 months of free credit monitoring services for affected students in the United States, per Kenny.

A second-year MBA student whose data was compromised, to whom The Crimson also granted anonymity, said that he was “a little bit concerned” about the breach, but ultimately didn’t “see the threat at the moment.”

He added that he has “a lot of confidence” in how HBS has handled the incident and in “how the school is run.”

—Staff writer Carrie Hsu can be reached at carrie.hsu@thecrimson.com.