Hack at Columbia Hits 870K People

A recent data breach at Columbia University has exposed the personal information of hundreds of thousands of people, including students, applicants, and employees. The breach, which occurred in May, affected approximately 870,000 individuals, with the stolen data including sensitive information such as Social Security numbers, financial aid details, and health records.

The university provided draft notices to officials in Maine and California, indicating that it intends to send notifications to affected parties in their states. Both states require swift notification of any breach that includes personal data, according to Bloomberg. The notices revealed that a technical outage disrupted some of the university's IT systems in June, leading university leaders to suspect a possible cybersecurity attack.

An investigation into the breach revealed that a hacker had gained access to Columbia's system and stolen files in May. The stolen data includes contact details, academic history, financial aid information, insurance details, and health records. Notably, no patient data from the Columbia University Irving Medical Center appears to have been compromised.

The university encouraged those affected to monitor their account statements and credit reports for any signs of fraudulent activity. It also offered two years of free credit monitoring and identity restoration services from a financial and risk advisory firm. In response to the breach, the university stated that it has implemented additional safeguards across its systems to enhance security.

"We have implemented a number of safeguards across our systems to enhance our security," the letters read. "Moving forward, we will be examining what additional steps we can take and additional safeguards we can implement to prevent something like this from happening again."

A public statement from the university's Office of Public Affairs last week acknowledged that since June 24, Columbia has seen no evidence of any further unauthorized access to the university's system. Starting August 7, the university promised to begin notifying affected students, employees, and applicants on a rolling basis via mail.

"We recognize the concern this matter may have raised and appreciate your ongoing patience during this challenging time," the statement read. "Please know we are committed to supporting the University community."

A Columbia official previously told Bloomberg that the hacker seemed to be trying to further a "political agenda." The investigation into the matter also found that the hacker was "highly sophisticated" and "very targeted."

The alleged hacker, who got in contact with Bloomberg, gave the news outlet 1.6 gigabytes of data, claiming it contained decades' worth of applications to Columbia. The application data included New York City mayoral candidate Zohran Mamdani, who applied to Columbia but didn't get in. Bloomberg confirmed with eight Columbia students and alumni that the information about them contained in the data was accurate.

The data provided to Bloomberg did not contain names, Social Security numbers, or birth dates. The person claiming to be the hacker texted Bloomberg that the purpose of the stolen data was to prove the university continued affirmative action in admissions after the 2023 Supreme Court ruling against such practices.

How the Hack Was Carried Out

The alleged hacker claimed to have spent more than two months ensuring their access to Columbia's computer systems. They hacked about 460 gigabytes of data total, including 1.8 million Social Security numbers of employees, students, and their family members.

According to Bloomberg, the person claiming to be the hacker was highly targeted in their efforts. The investigation found that they were "very sophisticated" and had a clear motive for their actions.

What's Next for Columbia University

The university has promised to take steps to prevent similar breaches in the future. Starting August 7, it will begin notifying affected students, employees, and applicants on a rolling basis via mail.

"We recognize the concern this matter may have raised and appreciate your ongoing patience during this challenging time," the statement read. "Please know we are committed to supporting the University community."