An attacker used vishing (phone-based social engineering) to gain access to Harvard University’s Alumni Affairs and Development Office systems and exfiltrate PII including email and home addresses of alumni, donors, students, and faculty; a concurrent breach at UPenn suggests coordinated or opportunistic targeting of higher-education institutions. No software vulnerability or CVE is involved; the root cause is a human authentication failure in credential reset or access grant workflows. Organizations — particularly higher education and institutions with development office or CRM systems — should audit phone-based credential reset pathways, enforce callback verification and out-of-band identity confirmation, and review bulk data access logs on systems holding alumni, donor, or student PII.