Privacy Daily is a service of Warren Communications News.
Subscriber Login

Columbia University Notifies Victims of May 16 Cyberattack

August 11, 2025 |Data Security

Columbia University began sending notification letters Thursday to those whose personal information was impacted during a May cyberattack, according to the university and several state attorneys general who reported the breach. An unauthorized third party, which stole the data, accessed the system in May, though the school discovered the breach as a result of a June 24 tech outage that disrupted IT systems (see 2507030020).

Sign up for a free preview to unlock the rest of this article

Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.

Start My Free Preview

Following a technical outage that day, Columbia "promptly activated [its] response process, launched an investigation with the support of external cybersecurity experts, and reported the incident to law enforcement," according to a sample notification letter attached to the Maine's AG office report on the breach.

The university said the investigation determined that "on or about May 16, 2025, an unauthorized third-party" entered its network and "took certain files." As of Aug. 7, the university has "no evidence that any Columbia University Irving Medical Center patient records were affected."

Maine's AG office reported that 2,026 of the 868,969 affected by the breach were state residents. Washington state, South Carolina, California and Vermont also reported the breach on Thursday with the same sample notification letter. Washington's AG site noted that 11,521 Washingtonians were impacted, while South Carolina said 3,096 state residents were affected.

In an August 5 update, Columbia said data stolen included "information about students and applicants related to admissions, enrollment, and financial aid processes, as well as certain personal information associated with some Columbia employees."

"The affected information includes Social Security numbers, contact details, demographic information, academic history, financial aid-related information, insurance-related information, and certain health information," the university added.

Columbia is offering two years of free credit monitoring and identity theft services to those impacted.