Attorney General James Reaches Agreement with Marymount Manhattan College to Invest $3.5 Million to Protect Students’ Online Data

Marymount Manhattan College Data Breach in 2021 Affected Roughly 100,000 New Yorkers

NEW YORK – New York Attorney General Letitia James today announced an agreement with Marymount Manhattan College (MMC), a private non-profit liberal arts college in New York City, to invest $3.5 million in data security to protect students’ online data. In 2021, MMC suffered a data breach that affected nearly 100,000 New Yorkers who were current and prospective MMC students, faculty, and alumni. An investigation by the Office of the Attorney General (OAG) found that MMC failed to properly secure its network infrastructure and failed to update its policies to address new security concerns, making it vulnerable to a data breach. As a result of today’s agreement, MMC is required to invest $3.5 million to improve data encryption and security protocols to mitigate the risk of future breaches.

“When institutions like Marymount Manhattan College fail to properly protect online data, thousands of New Yorkers are put at risk as a result,” said Attorney General James. “In the modern digital age, companies and universities alike must do a better job at safeguarding the personal information with which they are entrusted. This agreement will help ensure that future classes of MMC students, faculty, and alumni will have their online data protected.”

In November 2021, a hacker got into MMC’s technical infrastructure and accessed data belonging to 99,097 New Yorkers, which included social security numbers, bank and credit card numbers, passport numbers, driver’s license numbers, and medical information. Some of the data was over 10 years old and from applicants that never attended MMC. The hacker then encrypted the information and demanded a ransom in exchange for the return of the information. MMC paid the ransom and the stolen data was deleted.

Following the cyber-attack, OAG opened an investigation into the breach and MMC’s privacy and data security practices. The investigation concluded that MMC failed to adequately safeguard personal information, including failing to use multi-factor authentication for accounts, not encrypting sensitive data, and failing to update both their security policies and firmware in response to new security threats.

As part of today’s agreement, MMC must invest $3.5 million over the next six years to better protect the personal information of consumers, including by: 

  • Maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats;
  • Encrypting all personal information, whether stored or transmitted, between documents, databases, or elsewhere;
  • Maintaining reasonable policies to perform security updates and patch management;
  • Enabling multifactor authentication for users logging into MMC’s networks;
  • Scanning for vulnerabilities and potential weaknesses; and
  • Publicly sharing the university’s plan on the purpose of personal information it collected, retained, and timeline for deletion.

Today’s agreement continues Attorney General James’ efforts to protect the personal information of New Yorkers and hold accompanies accountable for their poor data security practices. This past May, Attorney General James secured $300,000 from Sports Warehouse for failing to protect the data of 2.5 million customers. Also in May, Attorney General James recouped $550,000 from a medical management company for failing to protect patient data. In April, Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices. In December 2022, Attorney General James secured $200,000 from student cap and gown producer Herff Jones for failing to protect consumers’ personal information. In October 2022, Attorney General James announced a $1.2 million agreement with the owner of SHEIN and Zoetop for failing to properly handle a data breach that compromised the personal information of million of consumers. In June 2022, Attorney General James secured $400,000 from Wegmans and required the retailer to improve data storage security after a data breach exposed consumers’ personal information. In March 2022, Attorney General James issued a consumer alert advising T-Mobile customers to take appropriate steps to protect their personal information following a data breach.

This matter was handled by Assistant Attorney General Nathaniel Kosslyn and Deputy Bureau Chief Clark Russell, with special assistance from Internet and Technology Analyst Nishaant Goswamy, of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.