Back

Columbia University Data Breach Exposes 2.5 Million Applicants' Data

Severity: High (Score: 67.0)

Sources: cloudstoragesecurity.com, Gadgetreview, www.cuit.columbia.edu

Published: 2026-06-04 · Updated: 2026-06-04

Keywords: data, columbia, breach, university, cloud, gigabytes, exposes

Severity indicators: breach, university

Summary

In June 2025, Columbia University suffered a significant data breach, initially misreported as a technical failure. The breach, attributed to a politically motivated hacktivist, resulted in the exfiltration of 460 GB of sensitive data, impacting 868,969 individuals, including many with no direct ties to the university. The stolen data included Social Security numbers, financial aid records, and academic histories of over 2.5 million applicants. The attacker claimed the breach aimed to expose post-affirmative action admissions practices. Columbia detected the breach in late June but did not notify the public until July, leaving many victims confused about their compromised data. A forensic investigation is ongoing, but no specific details about the attack vector or vulnerabilities exploited have been disclosed. The incident raises concerns about the retention of sensitive personal data by educational institutions. Key Points: • Columbia University experienced a major data breach affecting 868,969 individuals. • The breach involved the theft of 460 GB of sensitive data, including Social Security numbers. • The attacker claimed to expose issues related to post-affirmative action admissions practices.

Detailed Analysis

**Impact** The breach exposed data on over 2.5 million applicants to Columbia University, including 868,969 individuals notified who never attended the institution. Approximately 1.8 million Social Security Numbers, along with dates of birth, financial aid records, academic histories, passport scans, citizenship status, disciplinary records, and payroll files were compromised. The incident affected students, staff, alumni, and prospective applicants primarily in the United States. Operationally, Columbia experienced outages impacting email, student information systems, authentication, and campus digital signage, resulting in reputational damage and potential federal investigations under FERPA and New York’s SHIELD Act. **Technical Details** The attacker, self-identified as a political hacktivist, maintained access for nearly two months before detection, compromising hypervisors and bypassing multi-domain Active Directory controls. The breach involved exfiltration of 460 GB of data without ransomware demands, indicating a data-centric, ideologically motivated attack. No specific initial access vectors, exploited vulnerabilities, malware strains, or IOCs have been publicly disclosed. The attacker altered peripheral systems such as dormitory digital signage to display political messages during the intrusion. **Recommended Response** Organizations should conduct comprehensive security posture reviews focusing on segmentation of hybrid infrastructure and enhanced monitoring of sensitive data at the storage layer. Immediate actions include deploying detection capabilities for lateral movement and hypervisor compromise, and auditing legacy databases for unauthorized data retention. Institutions holding applicant or student data must prepare for potential regulatory investigations and notify affected individuals promptly. No specific IOCs or patches have been released; defenders should monitor for unusual access patterns and data exfiltration activity.

Source articles (3)

  • Columbia's Data Breach Exposes Hidden Victims Who Never Attended the University — Gadgetreview · 2026-06-04
    Columbia University’s massive 2025 data breach affected 868,969 people , including thousands who received alarming notification letters despite having zero connection to the prestigious institution. B…
  • 460 gigabytes — cloudstoragesecurity.com · 2026-06-04
    Casmer Labs, Cloud Storage Security’s (CSS) internal threat research laboratory, closely monitors breaches and threats impacting cloud environments and particularly the data contained within. In this…
  • Cyber Incident — www.cuit.columbia.edu · 2026-06-04

Timeline

  • 2024-06-25 — CVE-2024-37085 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2025-06-24 — Columbia University suffers data breach: A cyberattack led to an outage across Columbia's Morningside campus, affecting core services.
  • 2025-07-01 — Breach confirmed as targeted cyberattack: Columbia University confirmed the incident was a targeted cyberattack by an external actor.
  • 2025-07-01 — Public notification of breach delayed: Columbia did not notify the public about the breach until July, weeks after detection.
  • Recent — Forensic investigation underway: A third-party cybersecurity firm is conducting a forensic investigation in coordination with law enforcement.

CVEs

  • CVE-2024-37085

Related entities

  • Data Breach (Attack Type)
  • Columbia University (Company)
  • Education (Company)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • them.to (Domain)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Amazon EBS (Platform)
  • Amazon EFS (Platform)
  • Amazon S3 (Platform)
  • Azure Blob (Platform)
  • FSx (Platform)
  • Google Cloud Storage (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed