720-891-1663

Alerts, Best Practices, Breach, Hacks, Legal, Privacy, Security Practices

Hackers Deface NYU Website, Expose Data on Millions

Leave a comment

Hackers replaced the NYU homepage with charts and links to large student datasets.

The hacker CLAIMED he redacted personal data but a security expert said “not really”.

The charts linked to four different databases that includes personal information on applicants to NYU.

The security expert said the hacker did not redact the information correctly and leaked information on more than a million people. The data includes names, addresses, phone numbers and more.

NYU’s school newspaper reported that hackers exposed over 3 million applicants’ names, test scores, majors, zip codes and financial aid information DATING BACK TO AT LEAST 1989.

NYU says they are working with a cybersecurity firm to figure out whose data was compromised (so they can get sued-no, not really, so they can notify them. The getting sued part comes later).

The group that hacked NYU also claimed responsibility for hacking the University of Minnesota and leaking information on 7 million current and former students.

Ignoring for right now the hacker’s motive (since that is not a cybersecurity or privacy issue), there is a bigger issue. If you were a student at NYU in 1989, is it reasonable that you have to be concerned that your personal data would be compromised more than 30 years later.

Companies have decided that disk space is cheap, especially in the cloud. As a result, why delete old data.

In olden times (like in the early 2000s), disk space was limited and expensive, so companies deleted old data. Now disk space is basically free.

But here is the question that you might want to ponder.

There are many estimates of the cost to a company of each record breached. The common numbers are around $150-$200 per record. But lets be conservative. Lets say it is only, maybe, $75 per record.

In NYU’s case $75 x 3 millon is over $200 million. Double that if the number is really $150. Lets also say that NYU has $50 million in cyber liability insurance. Lets also be kind and hope the insurance company does tell them that they lied on their insurance application or they didn’t comply with the terms of the policy (that happens all the time). That will bring the check that they have to write down to, say, $175 million. Or $400 million using the larger number.

Is having that data spinning around freely worth $175 million? Or $400 million?

Of course, NYU figured they had great computer security.

Apparently not, however.

So that is a question facing business executives. If they keep the data for 10 or 15 years and save a hundred million dollars in case of a breach – is that a reasonable tradeoff.

Or you keep the data in a vault.

At least one reader of this blog will recognize what I am about to say. I know one company that archives that VERY, VERY old data. It is on an air gapped computer. In the basement of the HQ building. Powered off unless they need it. Behind securely locked doors. They can get to if they need it (and yes, you should have – again air gapped – off site backups). But you have just made it geometrically harder for the hackers to steal it.

If you need help coming up with a data retention policy, we are happy to assist. Please contact us. Credit: The Record

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2025 CyberCecurity, All rights reserved. Privacy Policy