Personal information about Columbia University students and applicants—including whether they were accepted or rejected by the school—has been stolen, according to a Bloomberg News review of data provided by a person who claimed to have hacked the school in June.
The 1.6-gigabyte volume of data provided to Bloomberg represents 2.5 million applications dating back decades, according to the alleged hacker. It includes students’ and applicants’ university-issued identification numbers, citizenship status, decisions on their applications, the academic programs to which they applied, among other things. Bloomberg confirmed the accuracy of the data for eight Columbia students and alumni who applied to Columbia between 2019 and 2024.
A Columbia official said “initial indications” show that data was stolen, though the school hasn’t yet determined the scope of the theft. Doing so could take weeks to months, the official said, adding that the university will then determine who needs to be notified.
The university recovered most of its systems quickly and engaged the cybersecurity firm CrowdStrike Holdings Inc., the official said. Initial indications are that the perpetrator is a hacktivist, meaning the person is trying to make a statement rather than seek financial gain. CrowdStrike has described the attacker as “highly sophisticated” and “very targeted” in the theft of documents — breaking in and stealing student data with the apparent goal of “furthering their political agenda,” the official said.
The leak of the data could prove problematic for Columbia if it fuels concerns about diversity in admissions. The school is trying to negotiate a settlement with the Trump administration to unfreeze $400 million of federal funding for research. The White House earlier this year blocked money to the school, accusing it of fostering antisemitism. The administration has since broadened its attack on the Ivy League to include diversity, equity and inclusion initiatives.
The alleged hacker, speaking via text and claiming to work alone, said they sought to acquire information about university applications that would suggest a continuation of affirmative action policies in Columbia’s admissions, following a 2023 Supreme Court decision that effectively barred the practice. The Columbia official said the school’s admissions processes are compliant with the Supreme Court decision.
The alleged hacker declined to provide their name, saying they didn’t want to go to prison.
The records provided to Bloomberg, the person said, are part of approximately 460 gigabytes of extracted data detailing financial aid packages, employee pay and at least 1.8 million Social Security numbers belonging to employees, applicants, students and their family members. The person told Bloomberg News they acquired the data after more than two months of building up access within Columbia’s servers. Ultimately, they said they attained the most privileged access to the university’s data.
The data Bloomberg received didn’t include names, Social Security numbers or birth dates. Bloomberg cross-checked the data with eight current and former students who submitted 12 applications to Columbia between 2019 and 2024. The eight Columbia students and alumni told Bloomberg the data matched their university-issued ID code, gender, citizenship status, admissions decision, the academic programs to which they applied and their decisions on whether to matriculate.
Six of the eight people applied to Columbia undergraduate programs, and in those instances, they said the data also matched the three academic interests stated in their applications in the exact order. Bloomberg wasn’t able to verify all of the data.
On June 24, Columbia experienced a systemwide outage in which students and employees couldn’t log into their university emails or other digital services. By June 29, systems had returned to working order, the school said.
The person claiming to have hacked Columbia also took responsibility for previously disclosed cybersecurity incidents at the University of Minnesota and New York University. The University of Minnesota said on its website that it believes someone gained unauthorized access to a school database in 2021. New York University disclosed earlier this year that a hacker gained access to some of its IT systems and that it had notified individuals whose Social Security numbers were contained in the affected files.
The University of Minnesota told Bloomberg on Monday that it is looking into the alleged hacker’s claim of being responsible. NYU didn’t respond to questions about the hacker.
Was this article valuable?
Here are more articles you may enjoy.
California Surplus Lines Take-up Soars as Property Owners Eye Coverage Alternatives 
Trump to Outline AI Priorities in Speech Asserting US Edge 
Cybersecurity Bosses Growing Increasingly Worried About AI Attacks and Misuse 
Trump’s Auto Safety Pick Promises Rapid Self-Driving Deployment 
Want to stay up to date?
Get the latest insurance news
sent straight to your inbox.