Columbia University Data Breach: Confirmed Details, Who’s Affected, and Your Legal Rights

Posted on
By James Woods
Managing Partner
columbia university data breach

NEW YORK, N.Y. -August 6, 2025 — Woods Lonergan is a complex commercial and civil litigation firm that represents clients in select data breach class action lawsuits . We have successfully pursued claims against national corporations, educational institutions, and technology vendors when failures in data security exposed sensitive personal, educational, and financial information.

In its ongoing investigation, Columbia University, headquartered in Morningside Heights, N.Y., with additional campuses in Midtown Manhattan and Washington Heights, confirmed on August 5 that a politically motivated threat actor had infiltrated its systems and exfiltrated hundreds of gigabytes of sensitive data tied to students, applicants, alumni, and employees. Columbia University will begin mailing notification letters to affected individuals on a rolling basis starting August 7.

New York residents have specific data breach rights under the New York SHIELD Act, and Columbia is legally required to notify the New York Attorney General. Columbia students and alumni who reside in other U.S. states will be subject to their home state’s data breach notification requirements, which vary in timing and scope.

As Columbia University continues to send data breach notifications on a rolling basis after August 7, you may receive a letter or email confirming your information was affected. Should you receive one, Contact Woods Lonergan at (212) 684-2500 to discuss your legal options in confidence and at no cost. Our Data Breach Litigation Lawyers are actively examining this breach on behalf of affected students, alumni, applicants, and employees under New York and other applicable state laws.

Columbia University Data Breach Timeline

Data Breach Incident DateJune 24, 2025 — Major IT outage disrupts UNI login, email, and CourseWorks. Public monitors display unauthorized images.
Breach Discovery Date

Late June 2025 — Columbia University’s IT and information security teams identify unauthorized access and begin investigation.
Public Disclosure Date
August 5, 2025 — Columbia issues formal update confirming scope, affected groups, and data categories.
Notification Method & Start Date
Beginning August 7, 2025 — Rolling notification letters via U.S. Postal Service. Letters may arrive any time after that date.
Affected Populations
Current and former students, applicants, alumni, and certain employees (specific departments not disclosed). Independent reports (The Verge, Bloomberg) confirm records from at least 2019–2024, possibly earlier.
Confirmed Types of Data Compromised
See “Confirmed Data Categories” below.
CUIMC Patient Records
Columbia states there is no indication that patient medical records from Columbia University Irving Medical Center were affected.
Credit Monitoring Offered

2 years of complimentary credit monitoring, fraud consultation, and identity restoration services.




Who is Affected in the Columbia University Data Breach

Columbia University Students (current and former): Columbia confirms exposure of personal and education records. Independent reporting indicates the data breach may also include bank account and routing numbers, GPAs, class schedules, and standardized test scores. In addition to grades and schedules, education records protected under FERPA can contain personal details — including those covered by the Individuals with Disabilities Education Act (IDEA) and Americans with Disabilities Act (ADA) — such as disability accommodations, counseling history, and other sensitive information.

Columbia University Applicants: Officially included in Columbia’s statement. Forensic review suggests records may go back to the 1990s, with confirmed exposure from at least 2019–2024. For applicants, in addition to admissions essays and test scores, education records protected under FERPA could include personal details governed by IDEA and ADA, recommendation letters, immigration documentation, and other sensitive records submitted during the application process.

Columbia University Alumni: Not named in Columbia University’s August 5 statement, but identified in independent dataset reviews by The Verge and Bloomberg.

Columbia University Employees: Certain personal information associated with some employees was compromised; specific departments not disclosed.

What Data Was Exposed in the Columbia University Data Breach

Columbia University has confirmed specific categories of compromised data through its own investigation, with further information independently corroborated by The Verge and Bloomberg following their review of the stolen files. As of August 6, 2025, exposed data has potentially been at risk for approximately 43 days (counting from the June 24 incident).

Confirmed Categories Impacted by the Columbia University Data Breach:

  • Social Security numbers (SSNs)
  • Home addresses, personal emails, phone numbers, and emergency contacts
  • Demographic information (date of birth, gender, citizenship status)
  • Grades and transcripts (course history, GPA)
  • Financial aid-related information, including FAFSA data (may include SSN, income tax records, asset information, family size, and dependency status)
  • Insurance-related information (enrollment forms, coverage details)
  • Certain health information (immunization records, disability accommodation requests)

Other Education Records Protected Under FERPA that could be included:

  • Individualized Education Programs (IEPs) and 504 plans (special-education accommodations under IDEA and disability-rights protections under ADA)
  • Confidential educational and psychological evaluations (learning-disability assessments, counseling records)
  • Disciplinary records (suspensions, academic-integrity proceedings)
  • Confidential academic advising notes
  • Standardized test scores
  • Citizenship and visa documentation (passports, visa applications)
  • Admissions decision records (including joint programs with Barnard College)

These education records are protected under FERPA and, in some cases, intersect with IDEA and ADA. Their exposure can have long-term consequences, from identity theft to reputational damage and the unauthorized disclosure of medical or psychological history.

Nature and Severity of the Columbia University Data Breach

The Associated Press described the attack as:
“A politically motivated hacker breached Columbia University’s data systems last week, stealing troves of student documents while briefly shutting down the school’s computer systems… the attack, described as highly sophisticated, briefly disabled access to university systems including emails and virtual learning platforms.”

Technical details and security implications of the Columbia University Data Breach (what early reporting and higher-ed patterns indicate):

  • Initial access likely via targeted phishing of UNI credentials, followed by privilege escalation.
  • Dwell time of weeks enabled lateral movement across an interconnected campus network (multiple NYC buildings and research centers), increasing blast radius.
  • Bulk exfiltration (~460 GB) transferred over encrypted channels, consistent with detection evasion.
  • Mix of structured and unstructured data suggests access beyond a single app (database exports + document repositories).
  • Universities’ decentralized IT and legacy systems can create monitoring blind spots and over-privileged service accounts, complicating containment.
  • Admissions systems tied to Barnard joint programs broaden the surface area for sensitive records.

Because the stolen files likely include FERPA-protected education records — some intersecting with IDEA and ADA — the breach raises legal and privacy concerns beyond a typical corporate incident. It also increases the risk of long-tail misuse (e.g., identity theft, synthetic identities, targeted spear-phishing leveraging academic details) that can persist for years.

If You Receive a Letter or Email From Columbia University

“Beginning August 7, we will begin notifying individuals, on a rolling basis, whose personal information may have been affected, via U.S. Postal Service mail.” Columbia University, August 5 update

If you receive such a letter, it will:

  • Identify the data categories involved in your case
  • Provide instructions for enrolling in complimentary credit monitoring and fraud-consultation services
  • Offer guidance on steps to protect your accounts and records

As Columbia University continues to send notifications on a rolling basis after August 7, you may receive a letter or email confirming your information was affected. Should you receive one, Contact Woods Lonergan at (212) 684-2500 to discuss your legal options in confidence and at no cost. Our law firm is actively examining this breach on behalf of affected students, alumni, applicants, and employees under New York and other applicable state laws.

What Columbia University Community Members Should Do Now

  1. Monitor postal mail and Columbia-affiliated email for official notices; verify sender domains and cross-check with Columbia’s cyber update.
  2. Enroll in Columbia’s two-year credit monitoring and identity restoration once offered.
  3. Freeze your credit with all three bureaus and set fraud alerts.
  4. Obtain an IRS Identity Protection PIN to block tax-refund fraud.
  5. Change passwords on Columbia and personal accounts; enable multi-factor authentication.
  6. Monitor accounts (banking, email, student portals) for unusual activity; report fraud promptly at IdentityTheft.gov.

Legal Claims Woods Lonergan Is Investigating in the Columbia University Data Breach Lawsuit

  • Negligence / Negligence per se — failure to implement and maintain reasonable security (access controls, monitoring, segmentation) commensurate with the sensitivity of education records and PII.
  • Breach of Implied Contract — students, applicants, alumni, and employees entrusted data with the understanding it would be safeguarded.
  • Breach of Fiduciary Duty / Duty of Confidentiality — where applicable, failure to protect highly sensitive records (including FERPA-protected education records).
  • Unjust Enrichment — retention of benefits without providing reasonable data security.
  • State Data Breach Statutes — including the New York SHIELD Act and analogous laws in other states of residence (timely notice; reasonable security).
  • Various Legal Implications  — the unauthorized disclosures may have run afoul of provisions of FERPA, the ADA / IDEA laws, and HIPAA requirements.

Venue & procedure: Depending on the claims and class scope, actions may proceed in New York County Supreme Court, however, more likely in the Federal District Court. Woods Lonergan is evaluating class and individual claims and potential injunctive relief (e.g., security upgrades, extended monitoring).

Contact Our Data Breach Litigation Team

If you believe your personal data may have been breached due to the Columbia University Data Breach,  your privacy and security may be at risk. Contact us for a free and confidential consultation. Woods Lonergan’s expert data breach lawyers are skilled at securing the affected parties the justice deserved. Call us 24/7 at (332) 378-0376 or email us at loganlowe@woodslaw.com– we take no fees unless we win.

About Woods Lonergan

Woods Lonergan PLLC is a New York–based litigation firm with a national track record in complex civil litigation, data privacy, and cybersecurity matters. We represent clients in select data breach class actions and related individual cases. Our current matters include breaches involving PowerSchool, Ahold Delhaize, Aflac Insurance, Johnson Controls, Community Health Center, DISA Global Solutions, and New Haven Health. In 2025, we helped secure notable results, including a $30 million settlement in the 23andMe data breach litigation (N.D. Cal.) and a multi-million-dollar settlement in the Sunflower Medical Group case (D. Kan.). We are experienced across New York trial and appellate courts, federal courts, and ADR forums, and we understand the regulatory landscape for universities, including FERPA, HIPAA, ADA, and IDEA.

Woods Lonergan has a proven track record of successfully holding large corporations accountable for failing to protect highly sensitive consumer data.

FAQs – Columbia University Data Breach 

What happened in the Columbia University Data Breach?

A threat actor gained unauthorized access to Columbia’s network, moved laterally, and exfiltrated large datasets (reported ≈460 GB). The incident surfaced publicly on June 24, 2025, when systems (UNI, email, CourseWorks) were disrupted; Columbia disclosed on August 5, 2025.

Is this definitely not ransomware?

Public reporting characterizes the incident as data theft with no ransom. Columbia’s updates have not referenced ransom negotiations.

How long has my data been at risk?

From June 24, 2025 through August 6, 2025, that’s ~43 days of potential exposure, with risk continuing until containment and notification steps conclude.

Who Was Affected in the Columbia University Data Breach?

Are applicants and alumni included?

Applicants: Yes (confirmed by Columbia).
Alumni: Not officially named by Columbia but identified in independent dataset reviews (e.g., The Verge, Bloomberg).

Could international students be impacted?

Potentially. If you submitted passport scans, visas, I-20/DS-2019 forms, or other immigration documents, those could be among the compromised records and warrant extra monitoring.

What Data Was Exposed in the Columbia University Data Breach?

What personal data is confirmed as exposed in the Columbia University Data Breach?

SSNs, contact details, demographics, grades/transcripts, financial aid files (including FAFSA), insurance enrollment, and certain health information.

What does “FAFSA data” actually include?

FAFSA can contain SSNs, tax returns/IRS data retrieval, income and asset information, family size, dependency status, loan details, and correspondence with aid offices—a detailed financial profile that is highly sensitive.

What are “education records” under FERPA in this context?

They can include grades and transcripts, disciplinary files, academic advising notes, standardized test scores, immigration documents, and disability-related information (e.g., IEPs/504 plans, psychological evaluations) implicating ADA/IDEA protections.

Could disability or counseling information be part of this breach?

Yes. If IEPs, 504 plans, or counseling evaluations are among the files, exposure could reveal accommodation details and medical or psychological history.

Notifications & Timing Related to the Columbia University Data Breach:

When and how will Columbia notify me?

By mail, on a rolling basis starting August 7, 2025. Notices can arrive any time after that date; some individuals might also receive email.

I haven’t received a letter yet—what should I do?

Assume possible exposure; freeze credit, set fraud alerts, enable MFA, and monitor financial/online accounts. Keep an eye on Columbia’s official updates.

Legal Rights & Next Steps Related to the Columbia University Data Breach:

Do I need a New York lawyer if I live elsewhere?

Not necessarily—but because Columbia is NY-based and NY law (including the SHIELD Act) may apply, a New York firm can advise on venue, statutes, and strategy.

What kinds of compensation are possible?

Reimbursement of out-of-pocket losses (freezes, remediation, travel/time), credit monitoring, and damages for loss of privacy, time, and increased future risk. Courts can also order injunctive relief (e.g., security upgrades, extended monitoring).

How do I start the process?

Save the notice letter, document all time and costs, preserve emails/screenshots, and contact Woods Lonergan at (212) 684-2500 for a confidential, no-cost evaluation.

References & Sources

About the Author

James Woods, Managing Partner of Woods Lonergan, holds more than 25 years of experience in corporate, real estate, and business legal matters. His expertise in handling negotiations, litigation, jury trials, and all forms of alternative dispute resolution spans multiple areas, including corporate, real estate, and commercial litigation. James actively represents dozens of Cooperative and Condominium Boards and serves as counsel to many Corporate Boards. Prior to founding the firm, James proudly served as an Assistant District Attorney for Nassau County and handled both jury and bench trials. With experience that also covers sophisticated transactions and complex acquisitions, James also serves as counsel to several domestic companies in a range of industries and commercial arenas, including real estate, insurance, banking, transportation, and construction. If you have any questions about this article you can contact attorney James Woods through his biography page.

Disclaimer: The information in this article and blog post (“post”) is provided for informational purposes only, and may not reflect the current law(s) in every jurisdiction. No information contained in this post should be construed as legal advice from Woods Lonergan PLLC or the individual author(s), nor is it intended to be a substitute for legal counsel on any subject matter. Nothing herein shall be construed to create an attorney-client relationship with Woods Lonergan PLLC. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this Post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from an attorney licensed in the recipient’s jurisdiction. This post is attorney advertising.
Attorney Advertising | Disclaimer | Privacy Policy
Website developed in accordance with Web Content Accessibility Guidelines 2.1.
If you encounter any issues while using this site, please contact us: 212.684.2500