NY college forced to invest $3.5 million in cybersecurity after breach affecting 200,000

New York state’s attorney general is forcing a college to invest $3.5 million into cybersecurity after a 2021 data breach leaked troves of sensitive information about almost 200,000 people.

Attorney General Letitia James and Marymount Manhattan College (MMC) announced an agreement on Thursday that will see the New York City liberal arts institution invest heavily to address data security deficiencies exposed during a 2021 ransomware attack.

“When institutions like Marymount Manhattan College fail to properly protect online data, thousands of New Yorkers are put at risk as a result,” James said in a statement. “In the modern digital age, companies and universities alike must do a better job at safeguarding the personal information with which they are entrusted. This agreement will help ensure that future classes of MMC students, faculty, and alumni will have their online data protected.”

An investigation conducted by James’ office found that on or around November 12, 2021, hackers exploited vulnerabilities in a Microsoft Exchange server that gave them access to social security numbers, dates of birth, bank and credit card numbers, passport numbers, driver’s license numbers, medical information, and usernames and passwords.

In total, 191,752 actual or prospective students, employees, and alumni, including 99,097 residents of New York. Located on Manhattan’s Upper East Side, the school has an undergraduate enrollment of about 1,600.

MMC paid the ransom to the group, which has not been identified. The school spent eight months investigating the situation and submitted findings to the attorney general’s office, noting that some of the data was more than 10 years old and came from people who had not even attended the school.

The attorney general’s office began its investigation of the situation in August 2022, finding “a number of deficiencies in MMC’s technical, administrative, and procedural safeguards for its Technical Infrastructure prior to the breach.”

The school violated several New York laws, most notably failing to “provide reasonable data security, and not providing timely notice.”

MMC did not admit or deny the investigation’s findings, instead agreeing to take several actions in addition to the $3.5 million investment. The school will create an information security program, provide annual training to employees, encrypt sensitive data and conduct yearly penetration tests.

The institution was facing a fine of $1 million to New York state, but officials suspended the payment in exchange for the promise to invest in cybersecurity controls between 2023 and 2029. If the school fails to institute the agreed-upon measures, it will have to pay the $1 million fine with interest.

James’ office and New York regulators have repeatedly penalized organizations for failing to protect the data of customers, issuing stiff fines to clothing giant Shein, Carnival Cruises, grocery chain Wegmans, retailer Sports Warehouse, a medical management company, insurer EyeMed, OneMain Financial Group, a prominent law firm and other organizations.

Her office also published a guide for data security in an effort to help organizations better secure user information.

A report this week from security firm Comparitech said that from 2018 to mid-September 2023, 561 educational institutions were hit with ransomware, costing the world economy more than $53 billion in estimated downtime alone.