NYU faces 10 lawsuits after breach exposes over 3 million applicants' data

New York University faces ten class action lawsuits following a data breach in late March where a hacker publicly exposed the personal information of more than three million university applicants dating back decades. Initial reports also cited figures of over one million students affected.

What happened

On March 22, 2025, an unauthorized individual gained access to and modified parts of NYU's website. For approximately two hours, the compromised page displayed charts purportedly showing discrepancies in average admitted test scores and GPAs based on race, alongside links to downloadable files containing sensitive applicant data. 

The hacker, claiming affiliation with a group called "Computer Niggy Exploitation" (previously linked to a major breach at the University of Minnesota involving seven million Social Security numbers), stated the act was intended to expose alleged race-sensitive admissions practices. Although the hacker claimed identifying information was redacted, cybersecurity expert Zack Ganot reported that redaction was done improperly. 

The exposed data included full names, addresses, phone numbers, email addresses, test scores (SAT/ACT), GPAs, majors, zip codes, demographic information (like ethnicity and citizenship status), and details related to financial aid and family members for applicants going back to 1989. The data covered admitted, rejected, and current students, as well as alumni. NYU regained control and restored the affected website in under three hours.

What’s new

In the aftermath, at least ten separate class action lawsuits have been filed against NYU by affected applicants. These lawsuits generally allege that the university was negligent in protecting sensitive personal information, failed to implement adequate cybersecurity measures, retained applicant data for excessive periods, and failed to provide prompt and adequate notification to all affected individuals. 

While NYU sent university-wide emails, sources indicate that the vast majority of affected individuals (estimated at 98%, primarily alumni and unenrolled applicants) have not been directly contacted. 

Zack Ganot has reportedly uploaded some of the exposed data to his platform, DataBreach.com, allowing individuals to check for impact. Law firms are actively investigating and soliciting affected individuals. NYU spokesperson John Beckman stated the university is working with a cybersecurity consultant to "complete their review of the incident so that NYU, in accordance with applicable law, can provide notice to anyone whose personal information was subject to unauthorized access."

Why it matters

The breach exposed a massive volume of personal data spanning decades, putting millions of individuals at potential risk of identity theft and privacy violations, especially with the inclusion of addresses and phone numbers alongside names and academic details. Although Social Security numbers were reportedly not included in this breach, the leaked information is highly sensitive. The incident raises questions about data security and retention policies at large educational institutions. It also shows the potential legal and reputational consequences for organizations failing to protect such data. The hacker's stated motive also introduces controversial issues surrounding university admissions policies into the cybersecurity incident.

What they’re saying

NYU spokesperson John Beckman confirmed the "malicious hack," stated the university responded "immediately," regained control in "less than three hours," involved law enforcement, and is reviewing security. University administrators described the hacker's charts as "inaccurate and misleading." Lawyers for plaintiffs criticized the lack of direct notification and questioned NYU's data retention practices. 

Cybersecurity expert Zack Ganot stated, "Even if the hacker meant to highlight illegal discrimination, leaking the personal data of over a million people is reckless. The collateral damage is real — and the privacy consequences... won’t just disappear after the headlines fade." NYU's Black Student Union criticized the university's response regarding the racial motivations cited by the hacker. The hacker claimed affiliation with "Computer Niggy Exploitation" and linked the attack to protesting affirmative action policies.

FAQs

Who was affected by the breach?

Individuals who applied to NYU between 1989 and the present could be affected, including those admitted, rejected, currently enrolled students, and alumni.

Why are lawsuits being filed against NYU?

The lawsuits allege NYU was negligent in securing applicant data, failed to meet cybersecurity standards, retained data unnecessarily long, and did not adequately notify all affected individuals about the breach.

What should affected individuals do?

Affected individuals should monitor financial accounts and personal information for misuse. They can check resources like DataBreach.com (where some data was reportedly uploaded) and stay informed about the class action lawsuits.