A private university in New York State is being sued for negligence by one of its students over a data breach that may have exposed thousands of Social Security numbers.
Syracuse University (SU) suffered a data breach on September 25 last year after an employee fell victim to a phishing attack and clicked on a malicious link.
The compromised account was secured by September 28, but the security incident may have exposed the names and social security numbers of nearly 10,000 students, alumni and university applicants.
An investigation into the security incident, which finished on January 14, was reportedly unable to definitively state whether files containing names and security numbers had been accessed by an unauthorized third party.
In February, Syracuse University, which offers a Master’s in Cybersecurity, began contacting individuals affected by the data breach to warn them that their personal information may have been exposed.
Commenting on the breach, Steven Bennett, senior vice president for international programs and operations at SU, said in February: “This was a really regrettable event. I understand it’s quite upsetting to some people.”
He added: “We are looking to tighten up the management of any document that has personally identifiable information in it. That was something that, in the wake of this event, we realized we really needed to do, and that’s underway at the moment.”
On Thursday, one of the students who was impacted by the breach filed a class action lawsuit against SU in Onondaga Supreme Court. The plaintiff alleges that SU didn’t do enough to protect the personally identifiable information (PII) entrusted to its care.
He claims that inadequate staff cybersecurity training and deficient cybersecurity protocols at the educational establishment left sensitive data vulnerable to exposure. The lawsuit further alleges that SU increased the potential harm caused by the breach by waiting four months after the incident to inform impacted individuals.
The plaintiff decided to take legal action against the university after he discovered an unauthorized charge on his checking account in the wake of the breach.
In a statement to The Daily Orange, the SU’s senior associate vice president for university communications, Sarah Scalese, said that Syracuse University does not comment on pending litigation.