Harvard University notified students at the Graduate School of Arts and Sciences yesterday that their personal information may have been compromised when a hacker hijacked the school's server last month.
University officials also announced that they will send notices today to approximately 10,000 of last year's applicants, who were exposed during the breach.
For approximately 6,600 applicants, the information included Social Security numbers, e-mail addresses, phone numbers, test scores, and school records.
The remainder of the sensitive data did not involve Social Security numbers.
The school will begin notifying applicants today and will provide them free identity theft recovery services, help them obtain copies of their credit reports, and set up credit-monitoring services and fraud alerts.
"The university's initial examination did not reveal the full extent of the hack," Harvard said in a statement. "As the investigation continued, it became apparent that some sensitive applicant data, including Social Security numbers, could potentially have been accessed. The University has informed the GSAS community, and has apologized for the error."
Officials said there was no evidence to indicate the information, part of applicant data from the 2007-08 academic year, was stolen or had been used improperly, but that the possibility could not be ruled out.
Housing data from that year and the year before were exposed, as well.
The site was taken down from Feb. 17 to Feb. 21 to investigate the incident and improve security. Whoever was responsible has not been found.
"Protecting personal information is something Harvard takes seriously, and we are truly sorry for the inconvenience and concern this incident may cause," said Margot Gill, administrative dean of the graduate school.
Dan Moriarty, Harvard's chief information officer, said the college had strengthened its security system.
"This is really a cautionary tale for anyone in higher education," he said.
In January, Harvard alerted students and staff that an undergraduate had allegedly produced counterfeit university identification cards that could be used as debit cards and to enter residence halls.
University officials said they did not believe that any accounts had been improperly debited.