{"id":928,"date":"2025-04-01T12:01:55","date_gmt":"2025-04-01T12:01:55","guid":{"rendered":"http:\/\/jtotheb.com\/?p=928"},"modified":"2025-04-03T12:41:45","modified_gmt":"2025-04-03T12:41:45","slug":"nyu-hit-with-10-class-action-lawsuits-following-data-breach","status":"publish","type":"post","link":"http:\/\/jtotheb.com\/index.php\/2025\/04\/01\/nyu-hit-with-10-class-action-lawsuits-following-data-breach\/","title":{"rendered":"NYU hit with 10 class action lawsuits following data breach"},"content":{"rendered":"

\"\"<\/a><\/p>\n

\"chart<\/div>\n

NYU is facing 10 class action lawsuits alleging that it mishandled applicants\u2019 personal information and failed to meet national cybersecurity standards after a hacker <\/span>leaked files<\/span><\/a> with more than 3 million names, hometowns and GPAs on the university\u2019s website last week.\u00a0<\/span><\/p>\n

The lawsuits, each filed by an individual applicant, claim that NYU\u2019s cybersecurity practices do not follow guidelines set by the National Institute of Standards and Technology and the Center for Internet Security, leaving those who applied to the school at risk of identity theft. Cybersecurity experts Zack Ganot and Arnaud de Saint M\u00e9loir, who help run databreach.com, told WSN that the amount of information included in the files \u2014 which were publicly downloadable on NYU\u2019s main website for over two hours \u2014 could have sold for tens of thousands of dollars on the dark web.<\/span><\/p>\n

\u201cAlmost for sure, NYU will settle and people will receive compensation \u2014 it was a real breach,\u201d Ganot told WSN. \u201cWithout putting it too bluntly, it was NYU\u2019s fault. They did not secure the data as they should have, and it’s kind of hard to get around.\u201d<\/span><\/p>\n

A university spokesperson did not respond to multiple requests for comment.
\n<\/span><\/p>\n

In a universitywide email sent about six hours after the breach, senior administrators Martin Dorph and Don Welch said that NYU removed the hacked page and reported the incident to law enforcement. In a second email five days later, they said that NYU IT and its cybersecurity consultant were \u201cworking as swiftly as possible\u201d to evaluate what personal information was susceptible to unauthorized access. Alumni and unenrolled applicants, whose data comprises around 98% of the leak, have not received communications regarding the incident.\u00a0<\/span><\/p>\n

\"\"
(Kyra Reilley for WSN)<\/figcaption><\/figure>\n

The lawsuits criticized NYU for not issuing a \u201cprompt and accurate\u201d statement informing the millions of applicants that their personal information had been compromised. William Federman, a lawyer in one of the cases against the university, told WSN that an immediate text, email or press release explicitly notifying applicants that their data was leaked would have been an ideal response.\u00a0<\/span><\/p>\n

\u201cImagine being an alum of the [University Heights] campus and now learning that your personal data has been stolen and is potentially being misused,\u201d Federman said in a statement. \u201cYou would have high anxiety and not even know where to start.\u201d\u00a0<\/span><\/p>\n

In an interview with WSN, Alexander Grijalva, an SPS professor teaching project management and IT, said he believed that NYU \u201cdisclosed as much as it could\u201d and that the response time was likely inhibited by legal advisors and administrators\u2019 caution confirming the university\u2019s specific concerns surrounding the breach. Grijalva said the university issued its statement \u201cfaster than some institutions would,\u201d and that the forensic processes that offer more details would take months.\u00a0<\/span><\/p>\n

\u201cI would never criticize the university, because being in this job, I know how tough it is \u2014 in institutions of any size,\u201d Grijalva, who is also the chief information security officer at VillageCare, said. \u201cThere\u2019s so much data floating around, so many thousands of users and you can’t lock down 100%. The only way to have 100% security is just to get rid of digital technology.\u201d<\/span><\/p>\n

Several of the lawsuits specifically criticize the university for retaining applicants\u2019 data for decades, citing industry guidelines that recommend encrypting or disposing of information as soon as it is no longer relevant. NYU\u2019s <\/span>policies stipulate<\/span><\/a> that application data is destroyed after a two-year period, with the exception of enrolled students, whose data is destroyed five years after they graduate.<\/span><\/p>\n

While over 99% of the data represents applicants from 2009 and later, records date back to 1978 and can be found across all schools, and for both admitted and rejected applicants. Federman said that while some of the retained information may still be relevant for advertising or analytics, it should be stored on a separate hard drive to mitigate accessibility risks.\u00a0<\/span><\/p>\n

Compiled, the files include each individual\u2019s SAT and ACT scores, zip codes and ethnicity, among other personal information submitted on the Common Application. De Saint M\u00e9loir said the breach was the first he has seen with GPAs. The lawsuits claim that while the files did not include phone numbers, home addresses or social security numbers, the available information is often enough for hackers to find them.\u00a0<\/span><\/p>\n

\u201cThe good news \u2014 but the bad news \u2014 is that I didn\u2019t find any social security number, so I don\u2019t think the compensation will be that large,\u201d de Saint M\u00e9loir said. \u201cBut also it depends on the net profit of the company \u2014 considering NYU is one of the richest universities in the country, it could be an interesting settlement.\u201d<\/span><\/p>\n

Over the past several years, similar incidents have taken place at the University of Minnesota \u2014 <\/span>which was seemingly hacked by the same person<\/span><\/a> who took over NYU\u2019s website \u2014 Marymount Manhattan College, Syracuse University and several other schools. In most cases, institutions faced an onslaught of class action lawsuits before they consolidated into one. Students who filed claims in lawsuits received <\/span>$38<\/span><\/a>, <\/span>$150<\/span><\/a> and <\/span>up to $1,000<\/span><\/a>, respectively \u2014 although all breaches involved SSNs.\u00a0<\/span><\/p>\n

Along with links to download the data, NYU\u2019s hacked page displayed three charts with what the hacker claimed to be the university\u2019s average admitted SAT scores, ACT scores and GPAs for the 2024-25 admissions cycle. On the defaced website, the hacker argued that NYU uses \u201cillegal\u201d race-sensitive admissions, showing that the average admitted test scores and GPAs for Asian and white applicants were higher than those who identify as Hispanic or Black.<\/span>
\n<\/span>
\n<\/span>In their email to the NYU community, Dorph and Welch said that the graphs were both \u201cinaccurate and misleading.\u201d WSN verified the information of over 50 consenting NYU applicants but did not find any inaccuracies. In his look into the files, de Saint M\u00e9loir said the charts are consistent with the data but noted that less than one in 20 admitted students included their test scores in the last application cycle.<\/span><\/p>\n

\u201cThese claims are statistically worthless,\u201d de Saint M\u00e9loir said. \u201cYou need a much deeper study to validate that conclusion or not.\u201d<\/span><\/p>\n

\"chart<\/div>\n

 <\/p>\n

Two days after the data breach, NYU\u2019s Black Student Union <\/span>released a statement<\/span><\/a> criticizing the university\u2019s response and WSN\u2019s article published immediately after the hack. The group said the incident was particularly concerning amid a federal crackdown on diversity, equity and inclusion programs in the United States, and that its members plan to work with NYU leadership and the Student Government Assembly to more thoroughly address the issue.<\/span><\/p>\n

\u201cNowhere does the university acknowledge that this attack disproportionately targeted Black students or address the underlying motivation of racism,\u201d the BSU statement read. \u201cThis was not just a data breach; it was an act of blatant racism designed to perpetuate harmful narratives about Black and Latine students.\u201d<\/span><\/p>\n

Ganot said that the \u201chacktivist\u201d had a clear political motivation and that it \u201cspeaks volumes\u201d that the attacker didn\u2019t ask NYU for ransom \u2014 which, \u201cbased on historical trends,\u201d could have been around $1 million. In the same interview, de Saint M\u00e9loir said that in most instances, this amount of personal information would have only been available on the dark web, noting that this was the \u201ceasiest to access\u201d data breach he had seen.\u00a0<\/span><\/p>\n

A breach of this level would have previously resulted in an investigation by governmental agencies such as the Federal Trade Commission or the Consumer Financial Protection Bureau, Ganot added. However, he said the Trump administration\u2019s firing sprees have restricted the agencies\u2019 capacity for oversight.<\/span><\/p>\n

\u201cThey basically were shut down, and everyone knows they were shut down, so that\u2019s not going to happen,\u201d Ganot said. \u201cThe only way to hold a company accountable right now, is filing a class action lawsuit.\u201d<\/span><\/p>\n

Correction, April 1: A previous version of this article incorrectly implied that the hacker\u2019s code matched the code used in WSN\u2019s analysis. The article has been updated and WSN regrets the error.<\/em><\/p>\n

Contact Dharma Niles and Krish Dev at news@nyunews.com.<\/em><\/p>\n

This story NYU hit with 10 class action lawsuits following data breach<\/a> appeared first on Washington Square News<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

NYU is facing 10 class action lawsuits alleging that it mishandled applicants\u2019 personal information and failed to meet national cybersecurity standards after a hacker leaked files with more than 3 million names, hometowns and GPAs on the university\u2019s website last week.\u00a0 The lawsuits, each filed by an individual applicant, claim that NYU\u2019s cybersecurity practices do not follow guidelines set by the National Institute of Standards and Technology and the Center for Internet Security, leaving those who applied to the school at risk of identity theft. Cybersecurity experts Zack Ganot and Arnaud de Saint M\u00e9loir, who help run databreach.com, told WSN that the amount of information included in the files \u2014 which were publicly downloadable on NYU\u2019s main website for over two hours \u2014 could have sold for tens of thousands of dollars on the dark web. \u201cAlmost for sure, NYU will settle and people will receive compensation \u2014 it was a real breach,\u201d Ganot told WSN. \u201cWithout putting it too bluntly, it was NYU\u2019s fault. They did not secure the data as they should have, and it’s kind of hard to get around.\u201d A university spokesperson did not respond to multiple requests for comment. In a universitywide email sent about six hours after the breach, senior administrators Martin Dorph and Don Welch said that NYU removed the hacked page and reported the incident to law enforcement. In a second email five days later, they said that NYU IT and its cybersecurity consultant were \u201cworking as swiftly as possible\u201d to evaluate what personal information was susceptible to unauthorized access. Alumni and unenrolled applicants, whose data comprises around 98% of the leak, have not received communications regarding the incident.\u00a0 (Kyra Reilley for WSN) The lawsuits criticized NYU for not issuing a \u201cprompt and accurate\u201d statement informing the millions of applicants that their personal information had been compromised. William Federman, a lawyer in one of the cases against the university, told WSN that an immediate text, email or press release explicitly notifying applicants that their data was leaked would have been an ideal response.\u00a0 \u201cImagine being an alum of the [University Heights] campus and now learning that your personal data has been stolen and is potentially being misused,\u201d Federman said in a statement. \u201cYou would have high anxiety and not even know where to start.\u201d\u00a0 In an interview with WSN, Alexander Grijalva, an SPS professor teaching project management and IT, said he believed that NYU \u201cdisclosed as much as it could\u201d and that the response time was likely inhibited by legal advisors and administrators\u2019 caution confirming the university\u2019s specific concerns surrounding the breach. Grijalva said the university issued its statement \u201cfaster than some institutions would,\u201d and that the forensic processes that offer more details would take months.\u00a0 \u201cI would never criticize the university, because being in this job, I know how tough it is \u2014 in institutions of any size,\u201d Grijalva, who is also the chief information security officer at VillageCare, said. \u201cThere\u2019s so much data floating around, so many thousands of users and you can’t lock down 100%. The only way to have 100% security is just to get rid of digital technology.\u201d Several of the lawsuits specifically criticize the university for retaining applicants\u2019 data for decades, citing industry guidelines that recommend encrypting or disposing of information as soon as it is no longer relevant. NYU\u2019s policies stipulate that application data is destroyed after a two-year period, with the exception of enrolled students, whose data is destroyed five years after they graduate. While over 99% of the data represents applicants from 2009 and later, records date back to 1978 and can be found across all schools, and for both admitted and rejected applicants. Federman said that while some of the retained information may still be relevant for advertising or analytics, it should be stored on a separate hard drive to mitigate accessibility risks.\u00a0 Compiled, the files include each individual\u2019s SAT and ACT scores, zip codes and ethnicity, among other personal information submitted on the Common Application. De Saint M\u00e9loir said the breach was the first he has seen with GPAs. The lawsuits claim that while the files did not include phone numbers, home addresses or social security numbers, the available information is often enough for hackers to find them.\u00a0 \u201cThe good news \u2014 but the bad news \u2014 is that I didn\u2019t find any social security number, so I don\u2019t think the compensation will be that large,\u201d de Saint M\u00e9loir said. \u201cBut also it depends on the net profit of the company \u2014 considering NYU is one of the richest universities in the country, it could be an interesting settlement.\u201d Over the past several years, similar incidents have taken place at the University of Minnesota \u2014 which was seemingly hacked by the same person who took over NYU\u2019s website \u2014 Marymount Manhattan College, Syracuse University and several other schools. In most cases, institutions faced an onslaught of class action lawsuits before they consolidated into one. Students who filed claims in lawsuits received $38, $150 and up to $1,000, respectively \u2014 although all breaches involved SSNs.\u00a0 Along with links to download the data, NYU\u2019s hacked page displayed three charts with what the hacker claimed to be the university\u2019s average admitted SAT scores, ACT scores and GPAs for the 2024-25 admissions cycle. On the defaced website, the hacker argued that NYU uses \u201cillegal\u201d race-sensitive admissions, showing that the average admitted test scores and GPAs for Asian and white applicants were higher than those who identify as Hispanic or Black. In their email to the NYU community, Dorph and Welch said that the graphs were both \u201cinaccurate and misleading.\u201d WSN verified the information of over 50 consenting NYU applicants but did not find any inaccuracies. In his look into the files, de Saint M\u00e9loir said the charts are consistent with the data but noted that less than one in 20 admitted students included their test scores in the last application cycle. \u201cThese claims are statistically worthless,\u201d de Saint M\u00e9loir said. \u201cYou need a much deeper study to validate that conclusion or not.\u201d   Two days after the data breach, NYU\u2019s Black Student Union released a statement criticizing the university\u2019s response and WSN\u2019s article published immediately after the hack. The group said the incident was particularly concerning amid a federal crackdown on diversity, equity and inclusion programs in the United States, and that its members plan to work with NYU leadership and the Student Government Assembly to more thoroughly address the issue. \u201cNowhere does the university acknowledge that this attack disproportionately targeted Black students or address the underlying motivation of racism,\u201d the BSU statement read. \u201cThis was not just a data breach; it was an act of blatant racism designed to perpetuate harmful narratives about Black and Latine students.\u201d Ganot said that the \u201chacktivist\u201d had a clear political motivation and that it \u201cspeaks volumes\u201d that the attacker didn\u2019t ask NYU for ransom \u2014 which, \u201cbased on historical trends,\u201d could have been around $1 million. In the same interview, de Saint M\u00e9loir said that in most instances, this amount of personal information would have only been available on the dark web, noting that this was the \u201ceasiest to access\u201d data breach he had seen.\u00a0 A breach of this level would have previously resulted in an investigation by governmental agencies such as the Federal Trade Commission or the Consumer Financial Protection Bureau, Ganot added. However, he said the Trump administration\u2019s firing sprees have restricted the agencies\u2019 capacity for oversight. \u201cThey basically were shut down, and everyone knows they were shut down, so that\u2019s not going to happen,\u201d Ganot said. \u201cThe only way to hold a company accountable right now, is filing a class action lawsuit.\u201d Correction, April 1: A previous version of this article incorrectly implied that the hacker\u2019s code matched the code used in WSN\u2019s analysis. The article has been updated and WSN regrets the error. Contact Dharma Niles and Krish Dev at news@nyunews.com. This story NYU hit with 10 class action lawsuits following data breach appeared first on Washington Square News.<\/p>\n","protected":false},"author":1,"featured_media":930,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-928","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"http:\/\/jtotheb.com\/index.php\/wp-json\/wp\/v2\/posts\/928","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/jtotheb.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/jtotheb.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/jtotheb.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/jtotheb.com\/index.php\/wp-json\/wp\/v2\/comments?post=928"}],"version-history":[{"count":3,"href":"http:\/\/jtotheb.com\/index.php\/wp-json\/wp\/v2\/posts\/928\/revisions"}],"predecessor-version":[{"id":935,"href":"http:\/\/jtotheb.com\/index.php\/wp-json\/wp\/v2\/posts\/928\/revisions\/935"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/jtotheb.com\/index.php\/wp-json\/wp\/v2\/media\/930"}],"wp:attachment":[{"href":"http:\/\/jtotheb.com\/index.php\/wp-json\/wp\/v2\/media?parent=928"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/jtotheb.com\/index.php\/wp-json\/wp\/v2\/categories?post=928"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/jtotheb.com\/index.php\/wp-json\/wp\/v2\/tags?post=928"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}