on campus

Student files class action lawsuit against SU over data breach that affected 10,000

Nabeeha Anwar | Illustration Editor

The breach the lawsuit refers to occurred late on Sept. 25 after a university employee fell victim to a phishing attack.

Get the latest Syracuse news delivered right to your inbox.
Subscribe to our newsletter here.

A Syracuse University student affected by a data breach that exposed the names and Social Security numbers of nearly 10,000 students, alumni, and applicants is suing the university for negligence. 

The class action lawsuit, which was filed in Onondaga County Supreme Court on Thursday, alleges that inadequate cybersecurity protocols and poor staff training at SU left thousands of people’s personally identifiable information vulnerable. The plaintiff filed the case after an unauthorized charge was made to his checking account following the breach. He is requesting a trial by jury. 

The university doesn’t comment on pending litigation, said Sarah Scalese, senior associate vice president for university communications, in a statement to The Daily Orange.

The breach the lawsuit refers to occurred late on Sept. 25 after a university employee fell victim to a phishing attack in which the employee clicked a link and exposed their credentials to a “malicious actor.” 


The university locked the compromised account on Sept. 28, and SU’s Information Technology Services tried to establish what information had been exposed. The department didn’t detect that any files were accessed or copied by the unauthorized party but couldn’t prove that the files weren’t accessed either, said Steven Bennett, senior vice president for international programs and academic operations, told The D.O. in February. 

On Oct. 6, SU hired a firm that specializes in data security to assist with the investigation. The firm finished its investigation on Jan. 4, but it was unable to confirm whether files containing names and Social Security numbers had been accessed. The university sent letters to those whose information was exposed on Feb. 4.

The lawsuit alleges that SU’s four-month delay notifying those affected by the breach compounded the actual and potential harm of the security failure. 

SU officials defended their handling of the breach during an interview with The D.O. in February. State law requires that institutions inform people of data breaches via U.S. mail. Because the independent firm SU partnered with to send the notification letter had to track down the mailing addresses of applicants and others not enrolled at the university, the process took considerable time; still, SU said it believes its response time was average or slightly above average, officials said.

In response to the breach, the university said it would establish a task force to look at the management of digital documents. University officials also said it will increase training for staff to prevent another similar breach and will move the entire campus to a two-factor authentication sign-in system. 

SU partnered with Experian, a consumer credit and reporting company, to provide temporary, free credit monitoring and identity theft services to those affected by the breach. The lawsuit called the services “insufficient” given the long-term consequences of data breaches and alleged that SU offered those affected an “unreasonably short window of opportunity” to claim the services. 

Applicants, students, alumni and others affected by the breach relied on SU to safeguard their information, the lawsuit reads, “and while (SU) was in a position to protect against harm from a data breach, (it) negligently and carelessly squandered that opportunity.”

Support independent local journalism. Support our nonprofit newsroom.

Top Stories