Columbia University has confirmed a significant data breach that exposed the personal information of approximately 868,969 individuals, including students and applicants, after a cyberattack targeting its IT infrastructure earlier this year.
The breach was reported to the Maine Attorney General’s Office on August 7, 2025, following an internal investigation and forensic analysis. The university discovered the incident on July 8, 2025, nearly two months after the intrusion, which began on or around May 16, 2025.
According to Columbia’s notification letter sent to affected individuals, the university experienced a technical outage on June 24, which led to the discovery of a broader compromise involving unauthorized access to internal systems. A threat actor is believed to have exfiltrated files containing a range of sensitive data, including:
- Full names
- Dates of birth
- Social Security numbers
- Contact information
- Demographic data
- Academic records
- Financial aid details
- Insurance data
- Health information
Importantly, the university stated there is no evidence at this time that patient records from Columbia University Irving Medical Center were affected.
Founded in 1754 and located in New York City, Columbia University is one of the top academic institutions in the United States, with a global reputation and a large network of students, faculty, alumni, and applicants. It operates complex IT systems spanning administrative, research, medical, and academic services, making it a high-value target for cybercriminals seeking to monetize stolen data or gain leverage in ransomware operations.
Although Columbia has not disclosed the exact method of intrusion or the identity of the attackers, the breach has been classified as an external system hack. It remains unclear whether ransomware was involved or if the data has been published or sold on dark web forums. Law enforcement has been notified and is investigating.
The university has partnered with Kroll LLC, a cybersecurity and risk management firm, to offer 24 months of complimentary credit monitoring and identity theft protection to affected individuals. Kroll’s services include fraud consultation and identity restoration support. Impacted parties are advised to activate these services before the deadline provided in their individual notice letters.
Those potentially impacted by the breach are also recommended to monitor credit reports and financial accounts for unusual activity, place a fraud alert or credit freeze, and report any suspicious cases to law enforcement and the Federal Trade Commission.
Leave a Reply