Princeton University said a database was compromised in a cyberattack on November 10 that exposed personal information belonging to alumni, donors, faculty members and students.
The university said attackers gained access after targeting a university employee in a phishing attack, which allowed access to biographical information related to fundraising and alumni engagement, including names, email addresses, telephone numbers and home and business addresses. Daren Hubbard, Vice President for Information Technology and Chief Information Officer, and Kevin Heaney, Vice President for Advancement, said the compromised records were limited to those types of information.
Princeton officials said the affected database did not generally contain Social Security numbers, passwords or financial information such as credit card or bank account numbers, and that it did not include detailed student records covered by federal privacy laws or staff data unless the staff were donors.
The university said groups likely to have had data exposed include all university alumni (including anyone ever enrolled), alumni spouses and partners, widows and widowers of alumni, any donor to the university, parents of current and past students, current students, and current and past faculty and staff.
Princeton said it has blocked the attackers’ access to the database and believes they were unable to access other systems on the network before being evicted. A university spokesperson redirected questions about the number of individuals affected and whether a ransom was demanded to the FAQ page.
Officials urged potentially affected individuals to be cautious about messages requesting sensitive information and to verify any communication with a known university contact before clicking links or downloading attachments.
The incident follows a separate early-November disclosure by the University of Pennsylvania that data stolen in October included donor and internal development materials. Princeton said it has no factual information indicating a connection between its breach and other incidents.