As someone who works at a University with student and employee data, I will tell you, this is the kind of thing one worries about.
This was not a Joomla! vulnerability. In fact, the Joomla! website was not ever cracked or defaced, at all.
What happened was an unethical person gained access to a network administrator's userid and password. With those credentials, that person illegally logged onto the server. By server, I mean the Linux server that housed the website and other files and databases. The individual had "root level" control of the entire server.
With that access, this person copied files and folders off of a file server - those files included a file called joomla.sql that was a backup of a beautiful Graduate College of Arts and Sciences
Joomla! website. These files were zipped up, along with credentials used to access the server - and the contents were floated out to the world of BitTorrent. A couple of days later, the media figured out what happened and gave these accounts.
1 - http://www.devicepedia.com/security/har ... rrent.html
2 - http://torrentfreak.com/harvard-website-hacked-080218/
3 - http://www.pcworld.com/article/id,142589/article.html
If you actually read what the GSAS said in the announcement entitled Harvard Graduate School of Arts and Sciences hacking incident
states the worst case scenario of potential compromise since the creditials used provided access to all data on the entire server:
As the investigation continued, it became apparent that some sensitive applicant data, including Social Security numbers, could potentially have been accessed.
That's the type of fear that those of us who work with personally identifiable data worry about.
I hope they catch this bastard because the damage done to these people will never end. They will have to watch their records closely from now on to see if someone tries to assume their identity and harm them financially.
Joomla!'s only relationship to this situation was the name of the database backup file that was included in the zip file on the torrent. It's unfortunate Joomla! is getting a "black eye" on this since it was not a Joomla! vulnerability. In light of the recent announcement, though, real people have been harmed and that is the real tragedy with this story.
I wish the media would read some of the articles they link to as reference material. Following this one story made me keenly aware that reporting the facts isn't always what happens.
Anyway, hope that helps.