Columbia University suffered a data breach in approximately April 2025 when a politically-motivated hacktivist using the alias 'niggy' (or 'Computer Niggy Operations') gained unauthorized access to Columbia's IT infrastructure and spent more than two months prowling the network before triggering a multi-day system outage on June 24, 2025. The hacker compromised Columbia's Student Information System (SIS), multiple Active Directory domains (including ADCU and several others), and all VMware ESXi virtualization hosts at both Columbia's Morningside Heights data center and the Syracuse, New York data center. The hacker exfiltrated approximately 460 gigabytes of data and released a 1.6-gigabyte sample to demonstrate authenticity. Columbia disclosed the breach on July 1, 2025 with state attorney general filings on August 7-8, 2025. The same hacker has claimed responsibility for two prior university breaches: the University of Minnesota in July 2023 (with seven million SSNs exfiltrated) and New York University in March 2025 (with NYU's website defaced with admissions data sorted by race), with all three attacks framed as politically motivated efforts to expose continued affirmative-action admissions practices following the U.S. Supreme Court's June 2023 ruling barring race-based admissions.

The breach affected approximately 345,746 individuals based on records indexed by DataBreach.com (with The Record citing approximately 900,000 affected individuals based on subsequent Columbia disclosures). Compromised fields included full names, Social Security numbers, dates of birth, email addresses, phone numbers, addresses, driver's license numbers, financial account information including bank account details for tuition payment and refund processing, medical information, health insurance information, and university-issued identification numbers (UNIs). The attacker also obtained approximately 2.5 million admission applications dating to the late 1990s including university-issued identification numbers, citizenship status, and final admissions decisions. The exposure of SSN combined with date of birth, address, driver's license, financial account, and medical information represents an exceptionally comprehensive identity-fraud kit.

For affected individuals, the practical risk profile is exceptionally severe given the comprehensive identity-data exposure. Affected individuals who are current or former Columbia students, faculty, staff, alumni, or applicants should enroll in the complimentary credit monitoring services offered by Columbia, place a credit freeze with all three credit bureaus (Equifax, Experian, TransUnion), monitor financial accounts and medical records for unauthorized activity, and remain alert to phishing or impersonation attempts referencing real Columbia-association details. The SSN exposure at a university is distinctively concerning because students often do not actively monitor their credit during their studies (because they have no mortgage, car loan, or other large account that would trigger credit-bureau alerts), making student-victim populations especially vulnerable to silent identity-fraud accumulation that may not be apparent until after graduation. Affected international students whose citizenship status was exposed face additional risk including potential targeted profiling. Affected individuals whose admission applications were exfiltrated may face additional risk because the hacker's stated motivation involves the public release of admissions data including racial demographic information, which could subject affected applicants to identification through subsequent media reporting based on the stolen data. Class-action litigation is available for affected individuals seeking compensation, and affected individuals may file complaints with state attorneys general in California, Texas, or other applicable states.

Universities collect identity, contact, academic, financial, employment, applicant, alumni, and research-related records across education, healthcare, and administrative systems.

Columbia disclosed the breach on July 1, 2025 after initially characterizing the June 24, 2025 incident as a 'technical outage' or 'IT outage.' On July 2, 2025, a Columbia official publicly stated that the attack was perpetrated by a 'highly sophisticated' hacktivist with a 'political agenda' who broke in and stole 'targeted' student data. Columbia engaged a top cyber-forensics firm and reported no detected intrusions since June 24, 2025. The hacker subsequently provided tranches of the stolen data to Bloomberg News and The New York Times, both of which ran stories based on the stolen data including the Bloomberg report indicating that the dataset includes approximately 2.5 million admission applications dating to the late 1990s. State attorney general filings in California and Texas on August 7-8, 2025 disclosed approximately 345,746 affected individuals (with The Record citing 900,000 affected individuals based on a separate Columbia disclosure). The case sits within Columbia's broader political conflict with the Trump administration including a $400 million federal research funding freeze that the administration imposed citing concerns about Columbia's handling of pro-Palestine protests on campus and diversity programs.