Columbia University has issued a stark warning to its community after a major data breach last summer, revealing that sensitive personal information for hundreds of thousands was stolen by a politically motivated hacker.
Scope of the Stolen Data
The university confirmed in an email on Monday, 12 January 2026, that the cyber attack resulted in the theft of highly sensitive data. The compromised information includes names, dates of birth, and Social Security numbers. Furthermore, any personal details submitted during applications or collected during enrolment were accessed.
This encompasses contact details, demographic information, academic history, and crucially, financial aid and health insurance records. The breach is reported to have impacted approximately 870,000 individuals, including students, employees, and applicants, according to draft notices cited by Bloomberg.
A 'Highly Sophisticated' Political Hack
The intrusion occurred on or around 15 May 2025, a period when Columbia was engaged in sensitive negotiations with the Trump administration. The university was seeking to restore hundreds of millions of dollars in federal funding that had been withdrawn amid allegations of campus antisemitism and discrimination.
During the attack, university systems were disrupted, and an image of a smiling Donald Trump appeared on some computer screens. Columbia described the breach in July 2025 as the work of a "hactivist" aimed at "furthering their political agenda." A hacker claiming responsibility told Bloomberg they stole data to investigate whether Columbia was still using race-conscious admissions practices, which the Supreme Court had outlawed in 2023.
Response and Ongoing Fallout
In response to the crisis, Columbia engaged the FBI and cybersecurity firm CrowdStrike to investigate. The university states it is not aware of any identity theft or fraud stemming from the breach but has implemented new security safeguards across its systems.
As a protective measure, Columbia is offering affected individuals free credit monitoring and identity restoration services. The breach came to light months after the university reached a $220 million settlement with the Trump administration in July 2025, which also required changes to admissions policies and campus monitoring.
