Princeton University over the weekend disclosed a data breach impacting alumni, donors, faculty, students, parents, and other members of its community.
On November 10, the university says, a threat actor accessed an Advancement database containing names, addresses, email addresses, and phone numbers, along with information on fundraising activities and donations to the institution.
According to the university, the data breach likely impacted all alumni (even enrolled students who did not graduate), alumni spouses and partners, the widows and widowers of alumni, university donors, current students, parents of current and past students, and current and past faculty and staff.
The database generally contains information related to fundraising and alumni engagement activities, but no passwords, Social Security numbers, or financial information.
It does not contain detailed student records or data about staff employees either, unless they are donors. No TigerNet or other passwords appear to have been compromised, Princeton’s incident notice reads.
The data breach was the result of a November 10 phone phishing attack targeting an employee who has “ordinary access to the Advancement database”, the university says.
Princeton notes that the threat actor was evicted from the compromised system within 24 hours, but it has yet to determine what type of information they might have viewed or accessed.
The institution is investigating the attack with assistance from outside experts and law enforcement, but says no other Princeton IT systems have been compromised.
Princeton is notifying all potentially affected individuals who had an email address stored in the database. For some people, however, no email address was found.
The university says it has not received communication from the attackers related to the incident, and it has no information to share about potential suspects.
Princeton encourages all potentially affected individuals to be wary of unusual messages claiming to come from the university and asking recipients to provide personal information.
Related: DoorDash Says Personal Information Stolen in Data Breach
Related: Checkout.com Discloses Data Breach After Extortion Attempt
