Data of Over 3 Million Applicants Exposed on NYU’s Website

A recent cyber incident involving New York University (NYU) has raised significant alarm in the cybersecurity community, as a hacker gained control of the university’s website for a period of two hours on a Saturday morning. During this time, sensitive information belonging to over 3 million applicants was exposed, including names, test scores, chosen majors, zip codes, and details pertaining to family members and financial aid dating back to at least 1989. The breach, which occurred on a weekend morning, highlights the vulnerabilities in higher education institutions’ cybersecurity defenses.

The university’s website was restored by noon on the same day. During the breach, the hacked page featured charts that purported to show NYU’s average admitted SAT scores, ACT scores, and GPAs for the 2024-25 admissions cycle. The hackers asserted that despite the Supreme Court’s ruling against affirmative action in 2023, NYU persisted in its admissions practices, revealing disparities in test scores and GPAs among applicants from different racial backgrounds.

Reports of the breach first surfaced around 10:30 a.m. on social media platforms, particularly Reddit, where a user shared links to four downloadable CSV files. These files contained extensive admissions data, including demographics, city details, citizenship status, and historical application information for students dating back decades. The dataset also included financial aid details, the number of applicants who applied through Early Decision, and personal information about applicants’ siblings and parents, raising serious concerns about data privacy and protection measures.

NYU’s spokesperson, John Beckman, addressed the situation later in the day, stating that the university’s IT team acted promptly to neutralize the threat and that the redirected webpage had been terminated. Beckman confirmed that the breach had been reported to law enforcement, and steps were being taken to prevent future incidents by enhancing system security. This swift response reflects an increasing acknowledgment within organizations of the need for robust incident response frameworks in the face of rising cyber threats.

The hacking group behind this attack, identified as “Computer Niggy Exploitation,” previously engaged in similar activities, most notably a July 2023 breach at the University of Minnesota, which resulted in the exposure of over 7 million social security numbers alongside comparative demographic analyses. This pattern illustrates a disturbing trend among hackers targeting academic institutions, often seeking to exploit racial and socioeconomic disparities for exposure or ideological motives. Previous breaches at prestigious institutions like Stanford and Georgetown University have demonstrated that data vulnerabilities in academia are not isolated incidents but rather part of a larger issue that poses serious risks to student privacy and institutional integrity.

The techniques potentially utilized in this attack could include multiple tactics outlined in the MITRE ATT&CK framework. Initial access might have been achieved through exploitation of a web application vulnerability, enabling the adversaries to execute code and gain control over the system. Persistence could have been established by deploying malware or backdoors to maintain access beyond the initial breach. Furthermore, privilege escalation techniques may have been employed to access sensitive data repositories, highlighting the need for educational institutions to implement stringent access controls and monitoring systems.

As the higher education sector continues to grapple with the implications of data breaches, this incident involving NYU serves as a stark reminder of the necessity for ongoing vigilance in cybersecurity strategies. Institutions must prioritize not only the protection of sensitive data but also invest in comprehensive training and awareness programs to empower staff and students against social engineering and other attack vectors. The effectiveness of cybersecurity measures is only as strong as the human element supporting it, underscoring the importance of fostering a culture of security awareness within educational environments.

For further inquiries or detailed discussions on cybersecurity best practices, professionals are encouraged to contact journalist Dharma Niles, Krish Dev, and Yezen Saadah.

Source link