Princeton Database Breached in Targeted Phishing Incident

A Princeton University Advancement database containing information about alumni, donors, some faculty, students, parents, and other members of the University community was compromised by external actors on Nov. 10, Princeton officials said in a Nov. 15 message to those affected. The breach lasted less than 24 hours. 

According to a statement from Daren Hubbard, vice president for information technology and chief information officer, and Kevin Heaney, vice president for advancement, the database contains personal information such as names, email addresses, telephone numbers, and home and business addresses. It also includes information about fundraising activities and donations. 

The University, in a series of FAQs about the breach, said it believes the database does not contain Social Security numbers, passwords, or sensitive financial information, including credit card or bank account numbers. The database also does not contain detailed student records covered by federal privacy laws or data about staff employees unless they are donors. It may take several weeks for the University to identify exactly what data was taken. 

“We do not at this point know precisely what information was viewed or extracted,” Hubbard and Heaney wrote. 

According to the University, the breach stemmed from a phone phishing scam targeting a University employee who had routine access to the Advancement database. 

The University has notified law enforcement and is working closely with them and outside cybersecurity experts. At the time of publication, no suspects have been identified, nor is there information to share about a criminal investigation. 

“We urge you to be alert for unusual messages that purport to come from the University,” Hubbard and Heaney wrote. “No one from Princeton University should ever call, text, or email you asking for sensitive information such as Social Security numbers, passwords, or bank information.” 

The attack follows a large-scale data breach at the University of Pennsylvania from Nov. 1, where individuals claiming responsibility for the security breach released thousands of pages of internal university files, including internal talking points, memos about donors and their families, receipts of bank transactions, and personal identifying information. The group claimed it gained export data on “1.2 million University of Pennsylvania students, alumni, and donors” from Penn’s databases, although Penn officials said that number “has been mischaracterized and overstates the impact.” 

In another cybersecurity incident this past summer at Columbia University, a hacker caused a dayslong IT outage and obtained 460 gigabytes of data, including at least 1.8 million Social Security numbers belonging to faculty, staff, applicants, students, and their families.  

Of the Princeton incident, Hubbard and Heaney wrote, “We have no factual information indicating that this attack is connected or related to any other incident.” 

Alumni and others affected by the breach can send questions or concerns to the University at cyberincident@princeton.edu.