Do Son 
The website of New York University (NYU) fell victim to a cyberattack that led to the exposure of personal data belonging to more than three million applicants spanning the last thirty years. On the morning of March 22, a malicious actor breached the university’s webpage and, for at least two hours, disseminated sensitive information, including names, standardized test scores, intended majors, postal codes, as well as familial details and records of financial aid.
The compromised page displayed graphs purportedly illustrating standardized test scores and GPAs of admitted students for the 2024–25 application cycle.
The homepage was temporarily replaced with a message accusing the university of continuing to use race-based admissions policies, despite the 2023 U.S. Supreme Court ruling that struck down affirmative action. The attackers claimed that applicants of Asian and white descent had higher average scores than those identifying as Latino or African American.
Three charts were posted on the defaced page, allegedly reflecting aggregated data of incoming students for the 2024–2025 academic year. Four downloadable CSV files were also made available, containing NYU admissions data dating back to 1989. These files included information not only about accepted applicants but also those who were denied admission—revealing race, citizenship, mailing addresses, family numbers, and details about parents, siblings, Early Decision submissions, and financial aid applications.
The breach was first reported by a Reddit user around 10:30 a.m. By midday, NYU had restored the website, though the data leak had already garnered widespread attention. According to university spokesperson John Beckman, NYU’s IT department promptly initiated response efforts and notified law enforcement. A comprehensive review of system security and vulnerabilities is currently underway.
This incident is not the first involving leaked admissions data coupled with criticism of race-based policies. In July 2023, the same group—operating under the alias “Computer Niggy Exploitation”—released information on more than seven million individuals after breaching the University of Minnesota’s admissions system. That breach included Social Security numbers, prompting a class-action lawsuit from alumni whose data was compromised.
Similar breaches have occurred at other leading U.S. universities. In 2019, Stanford University suffered a leak that exposed students’ personal details, including addresses, citizenship, and test scores. In 2024, Georgetown University experienced a breach revealing records related to financial aid, visa status, and academic performance.
NYU has previously expressed opposition to the Supreme Court’s decision to eliminate racial quotas in admissions. In July 2023, the university’s administration characterized the ruling as “a step backward.” However, by October of the same year, the university reported a sharp decline in enrollment among underrepresented ethnic groups: the percentage of Black students dropped from 7% to 4%, while Latino representation fell from 15% to 10%. University President Linda Mills acknowledged that such an outcome was anticipated and affirmed NYU’s commitment to seeking alternative approaches.
This data breach—spanning decades of admissions records and impacting millions of applicants—has reignited concerns over data security in higher education. The incident raises pressing questions: how vulnerable are students to cyber threats, and where should the line be drawn between the pursuit of social equity and the right to personal data privacy?
