Another serious breach has hit the education sector, and this time, it’s New York University (NYU) at the center. Over the weekend, a hacker took over NYU’s website for several hours, exposing sensitive information tied to more than 3 million applicants — dating all the way back to 1989.

For IT and security teams across industries, this breach is another warning: legacy data, political tensions, and cloud platforms create a potent mix of vulnerabilities that attackers are increasingly willing to exploit.

On Saturday morning, NYU’s homepage was hijacked to display:

• Charts comparing SAT, ACT scores, and GPAs across racial demographics.
• Claims that NYU continued race-sensitive admissions practices even after the 2023 U.S. Supreme Court ruling against affirmative action.

More critically, the attacker linked four CSV files publicly containing:

• Names, majors, test scores, and zip codes
• Financial aid details
• Information about applicants’ siblings and parents
• Citizenship status
• Rejected applicant data

The breach was first noticed around 10:30 a.m. on Reddit and the university managed to restore the website by noon.

The hacker group used the pseudonym “Computer Niggy Exploitation,” the same group that, in July 2023, exposed over 7 million Social Security numbers by breaching the University of Minnesota’s admissions records.

Their method — leveraging sensitive admissions data to challenge racial admissions practices — mirrors this latest attack on NYU.

NYU’s spokesperson confirmed that:

• The university’s IT team responded immediately.
• Law enforcement was notified.
• NYU is reviewing and strengthening its systems to prevent future attacks.

This incident highlights several realities we can’t afford to ignore:

• Historical data is a growing liability — many institutions retain decades-old applicant data that can become a prime target.
• Sensitive social and political topics like affirmative action are being exploited by attackers to create maximum disruption.
• Common Application data integrations are another potential weak link, given how much personal information they aggregate.

NYU’s experience isn’t isolated. Other top universities, including Stanford and Georgetown, have recently suffered similar breaches, exposing students’ financial and personal data.