Columbia University data breach impacts nearly 870,000 individuals
An unknown threat actor has stolen the sensitive personal, financial, and health information of nearly 870,000 Columbia University current and former students and employees after breaching the university's network in May.
Established in 1767 as King's College, Columbia University is a private Ivy League research university with a budget of $6.6 billion in 2024, over 20,000 employees, including 4,700 academic staff, and over 35,000 enrolled students across 19 schools and special programs.
The breach was discovered and reported to law enforcement authorities following an outage that affected some of its systems on June 24, following an investigation with support from external cybersecurity experts.
In notification letters filed with the office of Maine's Attorney General on Thursday, August 7, the university said that the data breach affects 868,969 individuals, including employees, applicants, current and former students, and family members.
"Our investigation determined that, on or about May 16, 2025, an unauthorized third-party gained access to Columbia's network and subsequently took certain files from our system," Columbia University said. "To date, we have no evidence that any Columbia University Irving Medical Center patient records were affected."
The university first confirmed the data theft last week in a statement, following reports that the alleged hacker claimed to have stolen 460 gigabytes of data from the compromised systems.
On Wednesday, the university issued another statement, confirming that the stolen data belongs to current and former students, applicants, and some Columbia employees.
According to the letters sent to affected individuals via the U.S. Postal Service, the stolen data includes a combination of personal, financial, and health information.
"The affected data included your name, date of birth, and Social Security number, as well as any personal information that you provided in connection with your application to Columbia, or that we collected during your studies if you enrolled," the university added.
"This included your contact details, demographic information, academic history, financial aid-related information, and any insurance-related information and health information that you shared with us."
While Columbia University has no evidence that the data has been misused in identity theft or fraud attempts, it will provide two years of free credit monitoring, fraud consultation, and identity theft restoration services through Kroll to those impacted by this data breach.
