Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
Columbia University

Columbia University Vendor Cyber Rating & Cyber Score

columbia.edu

For more than 250 years, Columbia has been a leader in higher education in the nation and around the world. At the core of our wide range of academic inquiry is the commitment to attract and engage the best minds in pursuit of greater human understanding, pioneering new discoveries and service to society.


Columbia University A.I CyberSecurity Scoring

Columbia University
Company Information
Website:http://columbia.edu
Employees number:23,329
Number of followers:740,462
NAICS:6113
Industry Type:Higher Education
Homepage:columbia.edu
Columbia University Risk Score (AI oriented)
Between 600 and 649
logo
Columbia UniversityHigher Education
Updated:
24/06/2026
634/1000
Poor
Caa
AaaAaABaaBaBCaaCaC
Powered by our proprietary A.I cyber incident model
Insurance prefers TPRM score to calculate premium
Columbia University Global Score (TPRM)
xxxx
logo
Columbia UniversityHigher Education
•••
Score locked
Instant access to detailed risk factors
Vulnerabilities
Benchmark vs. industry & size peers
Findings

Columbia University
Columbia UniversityPoor
Current Score
634Caa (POOR)
01000
4 incidents
-31.33 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
636Before Incident
JUNE 2026
634Before Incident
MAY 2026
649Before Incident
Cyber Attack
01 May 2026Columbia University
Instructure, Udemy, Harvard, Rutgers and Columbia: Inherited Trust: Why Education Environments Keep Getting Breached Globally

Cyberattacks on Education Sector: Identity Abuse and SaaS Exploitation Drive Surge in Breaches

628After Incident
CRITICAL-21
INSRUTUDEHARCOL1782312004
Cyberattacks on Education Sector Evolve: Identity Abuse and SaaS Exploitation Drive Surge in Breaches Cyberattacks targeting educational institutions have shifted from opportunistic ransomware campaigns to sophisticated, identity-driven intrusions leveraging trusted platforms and valid credentials. Recent incidents linked to the threat group ShinyHunters including breaches at Udemy and Instructure (Canvas) highlight a growing trend: attackers no longer breach systems externally but instead operate within them, exploiting SaaS access, federated identities, and operational trust to evade detection. ### Key Trends and Incidents - Rising Threat Volume: Cyber incidents in the education sector surged 63% year-over-year, with 425 reported attacks between November 2024 and October 2025 up from 260 the prior year. Data breaches increased by 73%, while hacktivist activity rose 75% across 67 countries. The UK’s Cyber Security Breaches Survey 2025/2026 found that 98% of universities and 88% of further education colleges experienced a breach in the past 12 months, far exceeding the broader business average. - Udemy Breach (2025): ShinyHunters compromised 1.4 million records, including PII, instructor payout data, and corporate details, after the company refused extortion demands. The leaked data was later indexed by Have I Been Pwned, amplifying downstream phishing and credential-stuffing risks. - Canvas Breach (May 2026): The group exfiltrated 3.65TB of data tied to 275 million students, faculty, and staff across 9,000 schools worldwide. Attackers exploited "Free-for-Teacher" accounts to pivot into the SaaS platform, defacing 330 institution login portals including those of Harvard, Stanford, Columbia, and Rutgers and disrupting operations during critical academic periods. ### Attack Vectors: Identity Debt and SaaS Abuse - Identity Persistence as a Weakness: Educational institutions struggle with "identity debt" accumulated credentials from alumni, shared lab access, and temporary research accounts that persist beyond their intended use. Attackers exploit these valid but unmanaged identities to move laterally without triggering traditional security alerts. - SaaS as the New Intrusion Layer: Once inside, attackers embed themselves in cloud platforms (Microsoft 365, Google Workspace, Canvas) rather than endpoints. Techniques include: - OAuth abuse (e.g., granting Mail.Read or Files.Read.All permissions). - Mailbox manipulation (forwarding rules, suppressed security alerts). - API-driven access to reduce visibility. - Federated Identity Risks: Cross-institution collaboration via federated systems expands the blast radius of a single compromised identity. The Canvas breach demonstrated how a vendor compromise could cascade into sector-wide disruption. ### Operational Shifts in Extortion Tactics - Ransomware’s Decline as a Primary Tool: While ransomware persists, groups like ShinyHunters now prioritize data theft, leak-site pressure, and public exposure over encryption. The Canvas attack coincided with finals season, maximizing reputational and operational damage. - IT Impersonation and Social Engineering: Attackers pose as IT support staff to initiate MFA resets, password changes, or device registrations, exploiting operational trust rather than software vulnerabilities. ### Broader Implications The education sector’s open, collaborative model reliant on shared SaaS platforms, federated identities, and decentralized administration creates systemic vulnerabilities. As attackers refine their methods, the focus has shifted from preventing unauthorized access to detecting abuse of legitimate credentials and mitigating cross-institution propagation. The recent breaches underscore that vendor compromise now equals institutional compromise, with single intrusions capable of disrupting thousands of schools simultaneously.
INCIDENT DETAILS -
TYPE
Data BreachIdentity AbuseSaaS Exploitation
MOTIVATION
Data TheftExtortionReputational DamageOperational Disruption
IMPACT
PIIInstructor Payout DataCorporate DetailsStudent/Faculty/Staff DataMicrosoft 365Google WorkspaceCanvasInstitution Login PortalsOperational Impact: Disruption during critical academic periods (e.g., finals season)Brand Reputation Impact: Defacement of 330 institution login portals (e.g., Harvard, Stanford, Columbia, Rutgers)Identity Theft Risk: Downstream phishing and credential-stuffing risks
DATA BREACH
PIIInstructor Payout DataCorporate DetailsStudent/Faculty/Staff Data1.4 million (Udemy)3.65TB (Canvas)Sensitivity Of Data: High (PII, academic records, operational data)
APRIL 2026
713Before Incident
Breach
24 Apr 2026Columbia University
Udemy, McGraw-Hill, Vercel and Harvard University: Udemy Data Breach – ShinyHunters Allegedly Claims Compromise of 1.4M User Records

ShinyHunters Claims Major Data Breach of Udemy, Threatens to Leak 1.4M Records

688After Incident
CRITICAL-25
MCGVERHARUDE1777034314
ShinyHunters Claims Major Data Breach of Udemy, Threatens to Leak 1.4M Records On April 24, 2026, the cybercriminal group ShinyHunters announced a data breach targeting Udemy, one of the world’s largest online learning platforms, alleging the theft of over 1.4 million records containing personally identifiable information (PII) and internal corporate data. The group issued a "Pay or Leak" ultimatum, demanding a response from Udemy by April 27, 2026, or risk public exposure of the stolen data. ShinyHunters, a financially motivated extortion group active since 2019, has built a reputation for high-profile breaches, including the 2020 theft of 200 million records from 13 companies. In 2026 alone, the group has intensified attacks on SaaS platforms and the education sector, with recent victims including Vercel, McGraw-Hill, and Harvard University (where 115,000 alumni records were exposed). Google Threat Intelligence tracks the group under the designation UNC6240, noting its shift from traditional network exploitation to social engineering, MFA bypass, and credential harvesting. ShinyHunters often exploits third-party integrations and compromised vendor credentials, as seen in the Vercel breach, where a third-party vendor (Context.ai) served as the entry point. The education sector remains a prime target, with ShinyHunters previously breaching India’s Unacademy, stealing over 10 million user accounts. As of publication, Udemy has not confirmed or denied the breach, and researchers continue monitoring the group’s leak site for potential data release following the deadline. The incident underscores the group’s evolving tactics and persistent focus on high-value targets.
INCIDENT DETAILS -
TYPE
Data Breach
MOTIVATION
Financial Extortion
IMPACT
Data Compromised: 1.4 million recordsIdentity Theft Risk: High
DATA BREACH
Personally Identifiable Information (PII)Internal Corporate DataNumber Of Records Exposed: 1.4 millionSensitivity Of Data: High
MARCH 2026
711Before Incident
FEBRUARY 2026
710Before Incident
JANUARY 2026
755Before Incident
Breach
07 Jan 2026Columbia University
Dartmouth College, Harvard University, Princeton University, Columbia University and Clemson University: Why Cyberattacks in Higher Ed Keep Proliferating

Multiple University Data Breaches Due to Social Engineering Attacks

707After Incident
CRITICAL-48
DARHARPRICOLCLE1767881845
Higher Education Under Siege: A Wave of Cyberattacks Exposes Systemic Vulnerabilities In the first half of 2025, a surge of cyberattacks has targeted major U.S. universities, exposing critical weaknesses in higher education’s cybersecurity defenses. The University of Pennsylvania, Harvard University, and Princeton University all reported breaches within the past two months, following earlier incidents at Columbia University, Dartmouth College, and New York University. Each institution confirmed the attacks stemmed from social engineering, with Harvard and Princeton specifically citing phone-based phishing as the entry point. Officials at the affected schools stated they acted swiftly to contain the breaches and are reinforcing security measures. However, experts warn that universities face an uphill battle. Mike Corn, a former chief information security officer in higher education and current consultant at Vantage Technology, noted that colleges operate like "small cities," with decentralized networks, personal devices, and diverse user behaviors creating countless vulnerabilities. Even robust investments in cybersecurity, he argued, cannot guarantee immunity from attacks—especially as AI-driven threats grow more sophisticated. The challenges extend beyond technology. Brian Nichols, CIO at the University of Kentucky, highlighted that while phishing simulations and training have improved awareness, they are not foolproof. Anita Nikolich, director of research and technology innovation at the University of Illinois at Urbana-Champaign, warned that punitive security measures can backfire, alienating faculty who may resist protocols perceived as restrictive. A core tension lies in academic freedom versus centralized IT control: many universities allow individual departments—such as medical or business schools—to maintain separate IT teams, increasing risk. Nikolich, who previously led IT infrastructure at the University of Chicago, described this fragmentation as a "huge risk factor," as decentralized systems complicate consistent security enforcement. Faculty resistance further complicates the issue. Janice Lanham, a nursing lecturer at Clemson University, nearly fell victim to a phishing scam but caught the deception in time. Yet, as Brian Voss, Clemson’s CIO, observed, some professors view security protocols as obstacles to research and teaching. Voss described a "culture of subservience" in higher-ed IT, where departments prioritize faculty demands over security, often retaining excessive data—including sensitive information like Social Security numbers—despite the risks. His efforts to reduce data storage have met resistance, with one university even retaining personal data for voter registration purposes, creating what he called "piles of gold for bad guys." The conflict between research needs and security is particularly acute. Nikolich, who also conducts quantum computing research, faced initial pushback when requesting network data for her work. After demonstrating the data’s non-sensitive nature and potential security benefits, she gained access—but noted that other universities default to blanket denials. When researchers are blocked, she warned, they often bypass official channels, increasing exposure. The solution, Nikolich suggested, lies in collaboration: IT, security teams, and faculty must treat cybersecurity as a shared priority, balancing innovation with protection. Until then, universities remain prime targets—caught between the demands of open academic environments and the escalating sophistication of cyber threats.
INCIDENT DETAILS -
TYPE
Data Breach
IMPACT
Data Compromised: Personal data of students, faculty, and staffSystems Affected: Internal university systemsOperational Impact: Disruption of university operations, increased security protocolsBrand Reputation Impact: Reputational damage to affected universitiesIdentity Theft Risk: High (potential exposure of personally identifiable information)
DATA BREACH
Type Of Data Compromised: Personal data, potentially including personally identifiable informationSensitivity Of Data: High (personal and potentially sensitive information)Personally Identifiable Information: Likely (e.g., Social Security numbers, payroll data)
DECEMBER 2025
755Before Incident
NOVEMBER 2025
754Before Incident
OCTOBER 2025
754Before Incident
SEPTEMBER 2025
753Before Incident
AUGUST 2025
752Before Incident
JUNE 2025
813Before Incident
Breach
01 Jun 2025Columbia University
Kroll and Columbia University: My SSN was exposed in a breach at Columbia—a school I have no connection with

Columbia University Data Breach Exposes Unaffiliated Individuals’ Sensitive Data

749After Incident
LOW-64
KROCOL1780583387
Columbia University Data Breach Exposes Unaffiliated Individuals’ Sensitive Data In February, a puzzling text from a family member led to the discovery of a months-long data breach mystery involving Columbia University one that affected individuals with no apparent ties to the institution. The text included a letter from Columbia, dated six months after the initial public notice, informing the recipient that their Social Security number (SSN) and other sensitive data had been exposed in a June 2023 breach. Columbia’s initial breach notifications, issued last year, were directed solely at "members of the Columbia community," warning of unauthorized access to admissions, enrollment, financial aid, and employee records. Major media reports echoed this, framing the incident as limited to students, applicants, and staff, while noting that the hacktivist behind the attack claimed motivation tied to Columbia’s admissions policies. However, the breach extended far beyond the university’s direct affiliates. The recipient a non-student, non-employee with no prior connection to Columbia received no explanation in the letter about how their data was obtained or exposed. The only remedy offered was enrollment in free credit monitoring via Kroll, the third-party firm hired to manage victim support. After repeated attempts to seek clarity through Kroll’s hotline where escalations yielded no follow-up a Columbia IT representative eventually revealed the cause: decades of third-party data collection, combined with failed data-removal efforts, had left the university holding sensitive information on individuals with no formal affiliation. The source of the exposed data, including SSNs, may trace back to standardized testing (such as the SAT) or other external partnerships, though Columbia has not provided a full account of its data retention practices. The breach underscores the risks of unchecked data aggregation by institutions, even for those with no direct relationship to the entity holding their information. As of now, the full scope of affected unaffiliated individuals remains unclear.
INCIDENT DETAILS -
TYPE
Data Breach
MOTIVATION
Tied to Columbia’s admissions policies
IMPACT
Data Compromised: Social Security numbers, admissions, enrollment, financial aid, and employee recordsBrand Reputation Impact: YesIdentity Theft Risk: Yes
DATA BREACH
Type Of Data Compromised: Social Security numbers, admissions records, enrollment records, financial aid records, employee recordsSensitivity Of Data: HighPersonally Identifiable Information: Yes

Frequently Asked Questions

?
What is the current A.I Rankiteo Cyber Score for Columbia University ?
?
What was Columbia University's A.I Rankiteo Cyber Score in June 2026 ?
?
What was Columbia University's A.I Rankiteo Cyber Score in May 2026 ?
?
What was Columbia University's A.I Rankiteo Cyber Score in April 2026 ?
?
What was Columbia University's A.I Rankiteo Cyber Score in March 2026 ?
?
What was Columbia University's A.I Rankiteo Cyber Score in February 2026 ?
?
What was Columbia University's A.I Rankiteo Cyber Score in January 2026 ?
?
What was Columbia University's A.I Rankiteo Cyber Score in December 2025 ?
?
What was Columbia University's A.I Rankiteo Cyber Score in November 2025 ?
?
What was Columbia University's A.I Rankiteo Cyber Score in October 2025 ?
?
What was Columbia University's A.I Rankiteo Cyber Score in September 2025 ?
?
What was Columbia University's A.I Rankiteo Cyber Score in August 2025 ?
?
What is the average per-incident point impact on Columbia University's A.I Rankiteo Cyber Score over the past 12 months ?
?
Where can I access detailed records of all cyber incidents associated with Columbia University ?
?
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ?
?
Where can I view Columbia University's profile page on Rankiteo ?
?
How accurate is the A.I Rankiteo Risk Scoring methodology ?