Marymount Manhattan College is investing $3.5 million over the next six years to protect students’ online data after an investigation by the New York Attorney General’s office found that the college failed to properly secure the personal information of prospective and current students, staff and alumni, the office announced last week.
The investment by the college is in lieu of a $1 million fine that was to be paid to the state of New York following a data breach at the college in 2021 that leaked sensitive information for nearly 200,000 people.
“When institutions like Marymount Manhattan College fail to properly protect online data, thousands of New Yorkers are put at risk as a result,” New York State Attorney General Letitia James said in a press release. “In the modern digital age, companies and universities alike must do a better job at safeguarding the personal information with which they are entrusted. This agreement will help ensure that future classes of MMC students, faculty and alumni will have their online data protected.”
An investigation by James’ office found that in November 2021 an outside party gained access to personal data of nearly 200,000 students, faculty and alumni at Marymount Manhattan College through vulnerabilities in the college’s Microsoft Exchange server. The data included Social Security numbers, birth dates, bank and credit card numbers, medical information, usernames, passwords and personal identification numbers. The hacker encrypted the data on the college’s servers and demanded payment for its return. The group that conducted the breach has not been identified.
Marymount Manhattan College paid the ransom for the deletion, nonpublication and return of the data and there is no evidence that the personal information was made available, according to James’ office.
During the investigation, the attorney general’s office found that the college did not have policies in place to delete student data after a certain period of time and instead retained personal data for decades. Among other vulnerabilities, the college used outdated versions of Windows, did not conduct regular penetration tests or vulnerability scanning. As a result, the college violated several laws in New York, including a failure to “provide reasonable data security, and not providing timely notice.”
Over the next six years, Marymount Manhattan College’s $3.5 million investment will allow it to maintain a comprehensive information security program, encrypt all personal information and enable multi-factor authentication for users on the college’s network, among other improvements.