Sensitive Data of Columbia University Students and Staff Compromised in Major Breach

Columbia University, a private Ivy League research institution, said it suffered a significant data security incident earlier this year that compromised the sensitive personal data of its students and staff.

 

Founded in 1767 as King’s College, Columbia University has more than 20,000 employees, and over 35,000 enrolled students across 19 schools and special programs.

 

In a data security incident notice filed with the Office of Maine Attorney General, Columbia University said that on June 24, it experienced a technical outage that disrupted several critical systems within its internal network. The university immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

It also took steps to contain the incident, secure the affected network and notified relevant law enforcement authorities about the same.

 

“ Our investigation determined that, on or about May 16, 2025, an unauthorised third-party gained access to Columbia’s network and subsequently took certain files from our system. 

 

“Our investigation has identified that the unauthorised party obtained information about students and applicants related to admissions, enrollment, and financial aid processes, as well as certain personal information associated with some Columbia employees,” Columbia University said.

 

The compromised data included  names, dates of birth, Social Security numbers, data regarding application to Columbia, contact details, demographic information, academic history, insurance-related information and health information.

 

The filing with the Maine state regulator also states that the university has identified at least 868,969 individuals impacted by the incident.

 

“We have implemented a number of safeguards across our systems to enhance our security. Moving forward, we will be examining what additional steps we can take and additional safeguards we can implement to prevent something like this from happening again,” the university added.

 

Columbia University found no evidence of the compromised information being misused, however, it has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general.

 

It has also offered two years of complimentary identity protection and credit monitoring services through Kroll to all affected individuals.