What happened, when it was discovered, and how Columbia described the intrusion
Columbia University says an unauthorized third party gained access to its network on or about May 16, 2025, and removed certain files. The incident surfaced after a technical outage on June 24, 2025, which disrupted parts of the university’s IT systems and prompted a forensic investigation. In notifications filed with state regulators on August 7, 2025, Columbia said the incident affects 868,969 individuals.
“Our investigation determined that, on or about May 16, 2025, an unauthorized third-party gained access to Columbia’s network and subsequently took certain files from our system.” Consumer Affairs
Reports tied to the incident say an online claim from an alleged intruder asserted roughly 460 gigabytes of data were taken; Columbia’s notices and its public statements have focused on identifying affected people and notifying regulators.
Who was affected and the scale of the exposure
Columbia’s filings say the data set includes applicants, current and former students, employees and family members — not just enrolled students or active staff — which explains the large total relative to the university’s on-campus population. The notification filed with Maine’s Attorney General lists 868,969 impacted individuals.
The university said it has found no evidence that patient records from Columbia University Irving Medical Center were affected.
Types of information reportedly exposed
Columbia’s notice and reporting by news outlets indicate that the files taken may include a mix of personal, financial and health information collected from applicants and students. Examples cited in the notices include:
- Names and dates of birth.
- Social Security numbers, where collected.
- Contact and demographic details.
- Academic history and application materials.
- Financial-aid-related information, insurance and some health information. Consumer AffairsBloomberg.com
Not every person had the same fields exposed; the exact data elements vary by whether the individual was an applicant, student, employee or family member, and by what they provided to the university.
University action and support offered to impacted people
Columbia notified affected individuals in writing and reported the incident to law enforcement. The university said it has implemented additional safeguards across systems and is working with outside specialists as it continues its investigation. Columbia also stated it would provide two years of complimentary credit monitoring, fraud consultation and identity restoration services through Kroll to people whose information was impacted.
The university’s public statements emphasize ongoing work to identify affected records and to harden systems against future incidents.
Timeline
- On or about May 16, 2025 — Columbia says an unauthorized actor gained access and removed files.
- June 24, 2025 — A technical outage prompted an internal investigation.
- Early July 2025 — Columbia acknowledged the outage publicly and continued forensic work.
- August 7, 2025 — Notification letters were filed with the Maine Attorney General and mailed to affected residents. Maine
News outlets have reported claims by an individual or group that data were exfiltrated and portions were shared with third parties. Columbia’s notices stop short of reporting confirmed misuse and say it is still investigating. The university has declined to provide additional technical detail beyond what it included in regulator notifications and public statements.
