More Than Seven Million People Impacted by University of Minnesota Data Breach, Class Action Says

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action claims the University of Minnesota (UMN) failed to protect the private information of more than seven million people during a cyberattack reportedly discovered in July 2023.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 60-page lawsuit says the public research university first learned of the data breach on July 21, when a hacker with the username “niggy” posted on the dark web claiming to have gained access to UMN’s computer systems and obtained personal information stored there, including digitized records from as early as 1989.

According to the notice posted on the university’s website, a subsequent investigation concluded that the threat actor had likely gained unauthorized access to the network two years before, in 2021.

The notice shares that the cyberattack impacted university employees, students, prospective students and individuals who participated in UMN programs between 1989 and August 2021. It also states that the breach may have exposed individuals’ full names, addresses, telephone numbers, Social Security numbers, driver's license or passport details, university identification numbers, dates of birth, demographic data, admissions applications, employment information and more.

Despite the university’s legal obligation to safeguard the information in its care, the defendant failed to implement adequate cybersecurity practices to protect the data, which it allegedly stored unencrypted and in a “vulnerable” and “negligent manner” in its database, the suit claims.

To make matters worse, UMN did not begin notifying victims until August 2023, weeks after the incident was purportedly detected and roughly two years after it occurred, the case charges.

“As a result of [the defendant’s] delay in detecting and notifying consumers of the Data Breach, the risk of fraud for [the plaintiffs] and Class Members has been driven even higher,” the complaint contends.

As the filing tells it, the university’s data security obligations were “particularly important” in light of the frequency of cyberattacks in the education sector in recent years and the vast amount of confidential information stored in its database.

The plaintiffs, two Minnesota residents who entrusted their data to UMN more than a decade ago, received email notices from the defendant on September 28 of this year informing them that their private information had been compromised in the breach, the suit says.

Like other victims, the plaintiffs now face an increased risk of identity theft, fraud and other illegal schemes as a result of the university’s alleged negligence, the case claims.

The lawsuit looks to represent anyone in the United States whose personal information was actually or potentially accessed or acquired during the University of Minnesota data breach.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.