By Anne Levin
Responding to two class action suits filed in response to the breach of a database at Princeton University that exposed personal information of students, alumni, donors, some faculty, and other members of the University community, representatives of the school have indicated their intention to fight
the charges.
“We believe these claims are without merit, and we plan to contest them vigorously,” said Jennifer Morrill, the University’s director of media relations, in an email.
The suits filed by Henggao Cai and David Ramirez claim that information in the database includes names, degrees, contact information, email addresses, phone numbers, and information concerning fundraising activities and donations made to the University.
It was discovered on November 10 that a Princeton University Advancement database had been compromised by outside actors. In a November 15 message sent to those potentially affected by the breach, the University said its teams were “working around the clock with outside experts and law enforcement,” and urged the community to be on alert though it was believed that Social Security numbers, passwords, or financial information such as bank account or credit card numbers were not compromised.
An update on November 18 said it was not known “precisely what information was viewed or extracted. The database in general contains biographical information pertaining to University fundraising and alumni engagement activities.”
The email reiterated the belief that Social Security numbers, passwords, credit card information, and bank account records were not compromised. All alumni, their spouses and partners, widows and widowers of alumni, any donor to the University, parents of current and past students, current students, and current and past faculty and staff are potentially affected. Everyone for whom the University has a valid email address in the database was sent the notification.
The service disruption began affecting
some University systems on November 14. “We discovered the incident and removed the attacker(s) from our systems within 24 hours, and believe that no other Princeton technology system was compromised,” reads the November 15 message signed by Vice President for Information Technology Daren Hubbard and Chief Information Officer Kevin Heaney, Vice President for Advancement.
The two lawsuits, filed in U.S. District Court for New Jersey, charge that the University was negligent in providing sufficient safeguards against such a phishing incident.
“It is estimated that the value of Princeton’s annual revenue and net assets is over $36 billion,” reads the Ramirez suit. “In other words, Princeton could have afforded to implement adequate data security prior to the data breach but deliberately chose not to.”
Leanna A. Loginov, the attorney for Ramirez, wrote in the complaint, “Cybercriminals have accessed and obtained everything they need to commit identity theft and wreak havoc on the personal lives of thousands of individuals.”
Cai’s attorney, Kevin Laukaitis, wrote that the information in the data breach “contained highly confidential data, representing a gold mine for data thieves.”
Cyber attacks on other educational institutions in recent months have included Columbia University and the University of Pennsylvania.