In March 2025, New York University (NYU) experienced a cyberattack that compromised the personal data of over 3 million applicants, spanning back to 1989. The hackers, who gained control of NYU’s website for a period of two hours, exposed a wealth of sensitive information including names, test scores, family information, financial aid details, and application data. The motive behind the breach was to shed light on what the hackers believed to be NYU’s discriminatory admissions practices, particularly focusing on alleged racial disparities in the acceptance criteria.
The cybercriminals chose to display charts showcasing the test scores and GPAs of admitted students, providing what they saw as evidence of the university’s “illegal” race-sensitive admissions policies. To further accentuate their message, the hackers uploaded CSV files to the NYU website, containing demographic information, city and zip codes, citizenship statuses, and other personal details of applicants. Additionally, the files exposed Common Application information, financial aid specifics, Early Decision applications, and even records of rejected students. What made the breach particularly egregious was the inclusion of personal data belonging to applicants’ family members, stretching back over three decades.
Upon discovering the breach, NYU acted swiftly to regain control of its website and put an end to the unauthorized activity. The university promptly reported the incident to law enforcement authorities and vowed to bolster its security measures to prevent future breaches. This incident of cyber intrusion at NYU echoes a similar breach that occurred at the University of Minnesota in 2023, where millions of social security numbers and personal information were compromised, leading to legal repercussions in the form of a class-action lawsuit.
Unfortunately, data breaches targeting universities have become increasingly common in recent years, with institutions such as Stanford and Georgetown also falling victim to similar attacks. NYU’s challenges have been compounded by a decline in minority student enrollments following a Supreme Court ruling on affirmative action in 2023, a development the university has been critical of. Despite these obstacles, NYU has affirmed its commitment to upholding its admissions practices while simultaneously fortifying its security protocols to mitigate the risk of future breaches.
In an era where cyber threats loom large and data privacy concerns continue to mount, universities must remain vigilant in safeguarding the personal information of their students and applicants. The breaches at NYU and other prominent institutions serve as stark reminders of the evolving landscape of cybercrime and the imperative of proactive cybersecurity measures in protecting sensitive data. As NYU and its peers navigate the aftermath of these breaches, the onus remains on them to not only rectify the immediate security gaps but also to instill confidence in their stakeholders by prioritizing data security and privacy.