Hacked Columbia University student, alumni data includes bank numbers, GPAs

The university said that an unauthorised party accessed data on students, applicants, and some staff, including admissions, financial aid, and certain personal information

Don't want to miss the best from Business Standard?

By Cameron Fozi

 

The financial information and academic performance of Columbia University students and alumni were stolen in a recent breach, according to a Bloomberg News review of some of the pilfered data. 

The data includes bank account and routing numbers, student loan and scholarship disbursements, standardized test scores, grade-point averages, class schedules, home addresses and other contact information, a Bloomberg review of 53.6 gigabytes of the stolen files shows. Nine current and former students who began attending Columbia undergraduate and graduate programs as early as the 1990s confirmed the accuracy of their data in the files. Bloomberg couldn’t verify the entire cache. 

 

The new details about the hacked data, which haven’t been previously reported, provide another headache for a university that is trying to regain its footing following a bruising battle with the Trump administration over claims that it fostered antisemitism and discriminated on the basis of race and national origin.

 

In response to questions from Bloomberg, a Columbia spokesperson said the investigation into the cyberattack — including the specifics of the information exposed — was ongoing. Columbia will begin notifications this week to individuals believed to be affected by the attack, the spokesperson said, adding that the school encouraged “all members of the university community” to remain vigilant against scams and regularly monitor accounts for suspicious activity. 

 

The university announced on its website Wednesday evening that an unauthorized party had acquired data about students and applicants regarding admissions, enrollment and financial aid, as well as certain personal information associated with some university employees. The affected data, the university said, included Social Security numbers, contact details, academic history and other information about demographics, financial aid, insurance and health.

 

In its statement, Columbia said it would begin notifying individuals by mail on Thursday whose personal information might have been affected. The university said it would offer those individuals two years of credit monitoring, fraud consultation and identity theft services through a vendor.

 

In June, Columbia began investigating a potential cyberattack following an IT outage at the school. A university official described the perpetrator of the breach as a “hacktivist,” meaning the attacker was politically motivated as opposed to seeking financial gain.

 

Last month, Bloomberg reported that personal information from applications to Columbia dating back decades — including whether applicants were accepted or rejected by the school — had been stolen, after reviewing 1.6 gigabytes of data provided by a person who claimed responsibility for the cyberattack.

 

A separate 53.6-gigabyte cache of data reviewed by Bloomberg was made available by Jordan Lasker, who runs a blog that has promoted views about race and IQ that have been criticized as offensive and scientifically flawed. Lasker said he obtained the 53.6-gigabyte cache of data from the alleged hacker. 

 

The hacker, who communicated with Bloomberg via X, confirmed that they provided the data to Lasker. The person’s X account, which includes a racist handle and racist remarks, declined to identify themselves saying they feared self-incrimination. Bloomberg hasn’t independently confirmed this person hacked the university’s records.

 

It’s not clear who else might have access to the stolen data. Even if it’s not immediately exploited, the hacked data could ultimately be used for malicious purposes including theft, identity fraud and stalking, according to security experts.

 

“Regardless of the criminal’s motive, anytime an individual is involved in a data breach, there is cause for concern,” said Rachel Tobac, chief executive officer of SocialProof Security. “It’s important to freeze your credit and be on the lookout for tailored phishing lures across all contact methods.”

 

Last month, Columbia reached a deal with the Trump administration to restore federal funding for research that included paying a $200 million penalty over three years to resolve multiple civil rights investigations, in addition to a series of reforms to bolster campus safety and oversight of international students. 

 

The university has been at the center of controversy since protests roiled its New York City campus over the war in Gaza following the Oct. 7, 2023, attack on Israel.