On Saturday night, a hacker overrode the official NYU website for approximately two hours, redirecting users to a page hosting what is alleged to be over 20 years worth of NYU applicant data. The user also included what they claim to be bar graphs showcasing average GPA, SAT, and ACT scores for the 24-2025 admissions cycle categorized by race, interpreting it as a violation of the 2023 Supreme Court ruling on affirmative action.

The uploaded CSV files include data for all undergraduate and graduate schools, including NYU Abu Dhabi. The data is said to be anonymized, but some Reddit users claim to have found their data through personally identifiable information that was left unredacted.

The data breach claimant is also linked to a 2023 data leak of over seven million social security numbers from the University of Minnesota, dating back to 1989. A former student and employee had filed a class action lawsuit against the university shortly afterward, fearing a breach of privacy.

According to the hacker, the University of Minnesota data breach was also done in order to find data on the use of affirmative action. “Within this... database system they store basically all important records the university has kept since they begin [sic] digitizing in 1989,” they said on a Fediverse-hosted site. “Student/faculty PII, grades, and most importantly here admissions data with diversity statistics.”

In another thread, the user explained their breaching process for the University of Minnesota, claiming that, “they have spent lots of money on “advanced” stuff, while forgetting the basics,” which allowed them to extract necessary user credentials for gaining access to the sensitive database from unsecured system backups. “...[U]niversities have basically the most vulnerable networks that exist in my experience,” they added on a Pleroma-hosted website. “Massive networks with huge surface area and a lot of legacy systems and usually aren’t spending a lot on security compared to normal in the corporate/government sector.”

Fediverse and Pleroma, frequented by the hacker, are both networks of small social media websites that allow users to communicate across platforms.

In a statement shared through email and X on Sunday, an NYU spokesperson shared “...The University’s IT team responded immediately, and the University notified law enforcement. The malicious redirection was brought to a halt, the webpage the attackers established was taken down, and NYU’s website was once again online and available. The University will work closely with law enforcement as they pursue their investigation.”

On Saturday, the hacker shared through X that the large NYU data leak was “many things spread over a few months, wasn’t just one thing or one exploit.” The breach has raised concerns over the university’s data security practices, especially as the University of Minnesota hacker had publicly detailed how they achieved their previous data breach in 2023, and that they were continuing to similarly gain access to other university networks for future exploits.

The racialized NYU data leak happens at a time when diversity and inclusion programs are increasingly being targeted by the Trump administration, with over 50 universities currently facing federal investigations over “race-based preferences” in admissions and programming.

It remains to be seen how this new political climate affects NYUAD, which is in a unique position due to its status as a satellite campus outside of the US. After the Supreme Court’s 2023 ban on affirmative action in higher education, former NYUAD Vice Chancellor Mariët Westermann stated in an email, “No matter what the outcome of the analysis [of the decision’s effects on the university], we remain firmly committed to the foundational diversity of our university in and of Abu Dhabi, in and of NYU, and in and of the world.”