320K+ exposed in Monroe University hacker attack
The New York-based University had somebody roaming its systems for two weeks, accessing a trove of sensitive information, which includes everything from passport numbers to financial account information.
-
Monroe University suffered a data breach affecting over 320K individuals in December 2024.
-
Attackers likely accessed sensitive information including SSNs, passports, medical records, and financial account data.
-
Medical identity theft poses significant risk as health data is non-recoverable.
Monroe University reached out to many thousands of individuals exposed in a 2024 data breach. According to the school’s data breach notice, a “third party” gained access to its systems between December 9th, 2024, and December 23rd, 2024.
Moreover, attackers managed to get their hands on some of the data stored on Monroe University's systems. After the cyber intrusion was discovered, Monroe launched a lengthy investigation, which concluded in late September of 2025.
Information the university submitted to the Maine Attorney General’s Office revealed that over 320,000 individuals had their details exposed in the attack.
Meanwhile, the inquiry revealed that attackers may have accessed a treasure trove of personal information, including:
- Names
- Dates of birth
- Social Security numbers
- Driver’s licence numbers
- Passport numbers
- Government ID numbers
- Medical information
- Health insurance information
- Passwords
- Financial account information
- Student data
The extent of the attack created numerous cyber risks for the individuals involved. Most obviously, attackers can attempt to use names, addresses, and other data points for identity theft by setting up fraudulent accounts or filing fraudulent tax claims.
However, the real danger here is medical identity theft and insurance fraud. In such cases, attackers can impersonate individuals to obtain prescription drugs. And if the stolen information includes patient histories, it could lead to cases of blackmail.
What makes matters worse is that medical and biometric data are non-recoverable, which means that, unlike passwords or credit cards, users cannot change their medical histories once they've been compromised.
However, the university noted that it has no evidence “that information involved in this incident has been used for identity theft or fraud.”
“As a precautionary measure and best practice, all individuals should remain vigilant to protect against potential fraud and/or identity theft by, among other things, reviewing account statements and monitoring credit reports closely,” the school’s data breach notice said.
Universities under attack
Universities often compile large amounts of personal information, making them prime targets for cybercriminals.
For example, last October, a ransomware gang shared 1.4TB of Harvard University’s data on its leak site on the dark web. The published data includes logs and reports from Harvard’s internal payment system as well as source code for various internal tools.
In August, Columbia confirmed a data breach to authorities, which exposed the personal details of nearly 900,000 individuals who either attempted to enroll at the university or studied there.
In April, a ransomware gang targeted a hotel chain serving Yale University. According to the attackers’ claims, private confidential data, client documents, and financial information were stolen.
US universities are hardly the only ones getting blasted by hackers. In the last days of 2025, two French universities were attacked. The University of Lille and the Grenoble École de Management were targeted by attackers.
Unlock more exclusive Cybernews content on YouTube.
