New York Attorney General (AG) Letitia James has reached an agreement with Marymount Manhattan College (MMC), a private non-profit liberal arts college in New York City, to invest $3.5 million in data security to protect students’ online data.
The agreement follows a 2021 data breach that impacted 100,000 New Yorkers who were current and prospective MMC students, faculty, and alumni. Information compromised in the attack included social security numbers, bank and credit card numbers, passport numbers, driver’s license numbers, and medical information. The AG’s office noted that some of the data was over 10 years old and from applicants that never attended MMC.
Following the breach, the hacker encrypted the information and demanded a ransom in exchange for the return of the information. MMC paid the ransom and the stolen data was deleted.
The AG’s office then launched an investigation and found that the school failed to properly secure its network infrastructure and failed to update its policies to address new security concerns, which the AG said made it vulnerable to a data breach. As a result of the agreement, MMC is required to invest $3.5 million to improve data encryption and security protocols to mitigate the risk of future breaches.
“When institutions like Marymount Manhattan College fail to properly protect online data, thousands of New Yorkers are put at risk as a result,” said Attorney General James. “In the modern digital age, companies and universities alike must do a better job at safeguarding the personal information with which they are entrusted. This agreement will help ensure that future classes of MMC students, faculty, and alumni will have their online data protected.”
Over the next six years, MMC must invest $3.5 million to better protect the personal information of consumers, including by:
- Maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats;
- Encrypting all personal information, whether stored or transmitted, between documents, databases, or elsewhere;
- Maintaining reasonable policies to perform security updates and patch management;
- Enabling multifactor authentication for users logging into MMC’s networks;
- Scanning for vulnerabilities and potential weaknesses; and
- Publicly sharing the university’s plan on the purpose of personal information it collected, retained, and timeline for deletion.