On Campus

SU data breach exposes nearly 10,000 names, Social Security numbers

Elizabeth Billman | Senior Staff Photographer

The university learned that emails or attachments in the breached account contained personal data in early January but didn't notify affected students until a month later.

The Daily Orange is a nonprofit newsroom that receives no funding from Syracuse University. Consider donating today to support our mission.

UPDATED: Feb. 10, 2021 at 4:34 p.m.

The names and Social Security numbers of about 9,800 Syracuse University students, alumni and applicants have been exposed after someone gained unauthorized access to an employee’s email account.

The university has sent letters to affected students, alerting them that the university had investigated a data security breach involving some of their personal information. The unauthorized party accessed the employee’s email account between Sept. 24. and 28. 

Upon learning of the breach, SU secured the account and launched an investigation that determined in early January that emails or attachments in the account contained names and Social Security numbers, a letter sent to affected students reads. The investigation, which was conducted with the help of a computer forensics firm, was unable to determine whether the unauthorized party ever viewed the personal information in the account, according to the letter, which was signed by Steven Bennett, senior vice president for international programs and academic operations. 


The university did not respond to questions about why it waited a month to alert students that their personal information had been exposed. 

“To date, we are unaware of any misuse of the information maintained in the employee’s email account, nor do we have any evidence that private personal information was actually viewed,” said Sarah Scalese, senior associate vice president for communications, in a statement to The Daily Orange. 

SU has coordinated with Experian, a consumer credit reporting company, to offer affected students a complimentary membership to a product that helps detect misuse of information and provides identity protection support, the letter sent to students reads. The service is free and won’t affect students’ credit scores, it said. 

The university did not respond to questions about how the breach specifically occurred. SU is implementing security measures, such as additional resources for cybersecurity training and additional cybersecurity and phishing training for employees with access to personal information, the letter reads. 

“We sincerely regret any concern this incident may have caused,” Scalese said. 

— This post has been updated with additional reporting.

Support independent local journalism. Support our nonprofit newsroom.

Top Stories