Bank numbers, GPAs among data stolen in recent Columbia University breach

NEW YORK - The financial information and academic performance of Columbia University students and alumni were stolen in a recent breach, according to a Bloomberg News review of some of the pilfered data.

The data includes bank account and routing numbers, student loan and scholarship disbursements, standardised test scores, grade point averages (GPAs), class schedules, home addresses and other contact information, a Bloomberg review of 53.6GB of the stolen files shows.

Nine current and former students who began attending Columbia undergraduate and graduate programmes as early as in the 1990s confirmed the accuracy of their data in the files. Bloomberg could not verify the entire cache. 

The new details about the hacked data, which have not been previously reported, provide another headache for a university that is trying to regain its footing following a bruising battle with the Trump administration over claims that it fostered anti-Semitism and discriminated on the basis of race and national origin.

In response to questions from Bloomberg, a Columbia University spokesperson said the investigation into the cyber attack – including specifics of the information exposed – was ongoing.

Columbia will begin notifications this week to individuals believed to be affected by the attack, the spokesperson said, adding that the school encouraged “all members of the university community” to remain vigilant against scams and regularly monitor accounts for suspicious activity.

The university announced on its website on the evening of Aug 5 that an unauthorised party had acquired data about students and applicants regarding admissions, enrolment and financial aid, as well as certain personal information associated with some university employees.

The affected data, the university said, included social security numbers, contact details, academic history and other information about demographics, financial aid, insurance and health.

In its statement, Columbia University said it would begin notifying by mail on Aug 7 individuals whose personal information might have been affected. The university said it would offer those individuals two years of credit monitoring, fraud consultation and identity theft services through a vendor.

In June, Columbia began investigating a potential cyber attack following an IT outage at the school. A university official described the perpetrator of the breach as a “hacktivist”, meaning the attacker was politically motivated as opposed to seeking financial gain.

Bloomberg reported in June that personal information from applications to Columbia dating back decades – including whether applicants were accepted or rejected by the school – had been stolen, after reviewing 1.6GB of data provided by a person who claimed responsibility for the cyber attack.

A separate 53.6GB cache of data reviewed by Bloomberg was made available by Dr Jordan Lasker, who runs a blog that has promoted views about race and IQ that have been criticised as offensive and scientifically flawed. Dr Lasker said he obtained the 53.6GB cache of data from the alleged hacker.

The hacker, who communicated with Bloomberg via social media platform X, confirmed that it provided the data to Dr Lasker. The person’s X account, which includes a racist handle and racist remarks, declined to identify itself, saying it feared self-incrimination. Bloomberg has not independently confirmed that this person hacked the university’s records.

It is not clear who else might have access to the stolen data. Even if it is not immediately exploited, the hacked data could ultimately be used for malicious purposes including theft, identity fraud and stalking, according to security experts.

“Regardless of the criminal’s motive, any time an individual is involved in a data breach, there is cause for concern,” said Ms Rachel Tobac, chief executive officer of SocialProof Security. “It is important to freeze your credit and be on the lookout for tailored phishing lures across all contact methods.”

In July, Columbia reached a deal with the Trump administration to restore federal funding for research that included paying a US$200 million (S$257 million) penalty over three years to resolve multiple civil rights investigations, in addition to a series of reforms to bolster campus safety and oversight of international students. 

The university has been at the centre of controversy since protests roiled its New York City campus over the war in Gaza following Hamas’ Oct 7, 2023, attack on Israel. BLOOMBERG