Monroe University revealed that threat actors stole the personal, financial, and health information of over 320,000 people after breaching its systems in a December 2024 cyberattack.

Founded in 1933 as a Bronx secretarial school, Monroe University is now a private institution with over 9,000 students each year across campuses in New York (Bronx and New Rochelle), and in the Caribbean nation of Saint Lucia.

As the school explained in data breach notifications filed with the Office of the Maine Attorney General this week, the attackers had access to its network for 2 weeks, from December 9 to December 23.

In September 2025, the university confirmed that the resulting data breach affected 320,973 individuals following a review of the stolen documents.

"We reviewed these files and, on September 30, 2025, determined that they contained some personal information for certain individuals," the school disclosed in an official statement.

"The type of information involved varied by person but may have included one or more of the following: name, date of birth, Social Security number, driver's license number, passport number, government identification number, medical information, health insurance information, electronic account or email username and password, financial account information, and/or student data."

The school began mailing breach notifications on January 2 to those whose data was stolen, warning them to monitor their credit reports and account statements for any signs of fraud or identity theft. Affected individuals are also offered one year of free credit monitoring services through Cyberscout, which will alert them to changes to their credit files.

A Monroe University spokesperson was not immediately available for comment when contacted by BleepingComputer for more details regarding the incident.

The school was also the victim of a ransomware attack when it was still known as Monroe College, with the attackers demanding 170 bitcoins (approximately $2 million at the time) for a decryptor.

Attacks targeting U.S. universities

Multiple other universities across the United States have also been breached in recent months, with the University of Hawaii reporting last month that its Cancer Center was breached in an August 2025 ransomware attack.

In December, Baker University also disclosed a data breach after attackers who had hacked its network in 2024 stole personal, health, and financial information of over 53,000 people.

Several other U.S. universities have also been breached in voice phishing attacks starting in October, with Harvard University, Princeton University, and the University of Pennsylvania disclosing that the data of donors, staff, students, and alumni was stolen from compromised development and alumni activities systems.

The Clop ransomware gang also hacked the Oracle E-Business Suite (EBS) platforms of Harvard University and the University of Pennsylvania to steal personal and financial data from students, staff, and suppliers.