Columbia University Hit with Class Action Over MOVEit Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

Columbia University faces a proposed class action over a May 2023 data breach that exposed personal information belonging to current and former students, employees and applicants.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 26-page lawsuit against the private New York City university says that Social Security numbers, dates of birth, financial information and other sensitive data were stolen on May 30 of this year when cybercriminals exploited a security vulnerability in the MOVEit file transfer service.

According to the complaint, Columbia fell victim to the widespread attack targeting MOVEit due to its failure to implement adequate cybersecurity measures. As part of its legal duty to safeguard consumer data from unauthorized access, the defendant was responsible for ensuring that its third-party vendor’s systems were sufficiently protected, the case alleges.

“[The defendant’s] data security obligations are and were particularly important given the substantial increase in cyberattacks and/or data breaches widely reported on in the last few years,” the filing says, further noting that Columbia should have already been aware of this risk since it suffered a previous data breach in 2007.

Related Reading: 2023 MOVEit Data Breach Lawsuits

The suit stresses that the university’s alleged negligence has exposed affected individuals to an ongoing threat of identity theft crimes and fraud, often forcing victims to spend many hours and large sums of money mitigating the consequences.

The plaintiff, a former student, says she has experienced three separate fraud issues with her credit card account since the cyberattack occurred. Per the complaint, the woman learned on July 21 that an unauthorized individual attempted to spend over $1,000 using her credit card. The next day, she received another notification stating that her credit card was used to try to spend $800 without her knowledge or consent, the case says.

“As a result of both incidents, [the plaintiff] had to spend numerous hours over the following weeks working with her bank to investigate the fraudulent activity, and to receive a new credit card,” the suit shares. Nevertheless, the woman says she suffered a third fraud attempt immediately after her new card arrived.

The filing goes on to stress that Columbia has failed to inform the plaintiff and other victims that their information was compromised several months ago. Despite the defendant’s silence on the issue, a list submitted to the California Attorney General’s Office by the National Student Clearinghouse in September 2023 names Columbia University as one of the nearly 900 colleges affected by the MOVEit data breach, the case relays.

The lawsuit looks to represent anyone whose sensitive information, provided to the defendant as part of their application to, enrollment at or employment by Columbia University, was exposed to unauthorized access by way of the data breach on or about May 30, 2023.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.