Carnegie Mellon Faces Lawsuit Over 2023 Data Breach

Home
news
Carnegie Mellon Faces Lawsuit Over 2023 Data Breach

April 9, 2025

by Brian Eckert

A Carnegie Mellon University student has filed a class action lawsuit in Pennsylvania federal court alleging the school failed to prevent an August 2023 cybersecurity attack that exposed the personal information of students.

A data breach occurred in August 2023 but Carnegie Mellon waited until the following year to notify affected individuals.
The breach exposed the personally identifiable information (PII) of thousands of individuals, putting them at risk of identity theft and fraud.
Carnegie Mellon is accused of implementing inadequate cybersecurity measures, despite charging students a “technology fee.”
Damages, restitution, and injunctive relief for a nationwide class are proposed in an April 2025 complaint.
The hack comes as more higher education institutions are facing cyberattacks.
Glen L. Abramson of Milberg’s nation-leading Cybersecurity & Privacy Practice is representing the plaintiff and the class.

What Happened at Carnegie Mellon University?

Carnegie Mellon University, a private research university in Pittsburgh, Pennsylvania, suffered a data breach on August 25, 2023 that compromised the PII of thousands of individuals.

According to a data breach notice, the university “detected suspicious activity on a CMU computer” and launched an investigation that revealed “an unauthorized third party gained access to a CMU computer system and may have copied files which included your personal information.”

What Information Was Allegedly Stolen in the CMU Data Breach?

The stolen PII may have contained names, social security numbers, and/or dates of birth. Based upon the investigation, more than 7,300 individuals’ PII was impacted by the data breach.

Armed with this information, data thieves “can commit a variety of crimes,” Milberg’s complaint contends, including opening new financial accounts and taking out loans in class members’ names, using their PII to obtain government benefits, filing fraudulent tax returns and obtaining driver’s licenses, and giving false information to police during an arrest. Hackers could also obtain and use sensitive information such as students’ medical records, sexual assault reports, and financial data, the complaint alleges.

“As a result of the Data Breach, Plaintiff and Class Members have been exposed to a present and imminent risk of fraud and identity theft,” the complaint states. “Plaintiff and Class Members must now and in the future closely monitor their financial accounts to guard against identity theft.”

What Legal Issues Does the Carnegie Mellon Lawsuit Address?

CMU is offering data breach victims complimentary identity theft monitoring services—a remedy the lawsuit calls “wholly inadequate” because it is only offered for 24 months, while the risks of identity theft and fraud can last a lifetime, and places the burden on victims to sign up for the service, instead of automatically enrolling them in it.

In addition, the lawsuit points out, years might pass between when PII is stolen and when it is misused by criminals, and between when harm occurs to victims and when it is discovered. It cites a U.S. Government Accountability Office data breach study that concludes, “the harm resulting from data breaches cannot necessarily rule out all future harm.”

“Anyone in defendant’s industry knew or should have known of the risks of a ransomware attack and taken sufficient steps to fulfill its obligation to the people who entrust their personal data to the institution. Defendant failed to do so.”

This harm was avoidable, the lawsuit claims, because cyberattacks are a “known risk” to CMU and the university was therefore “on notice” that failing to secure the PII from that risk made the data “vulnerable to theft.” Moreover, CMU may have had a contractual duty to protect the PII it was entrusted with due to the imposition of a $470 “Technology Fee” that it charges students.

Another point of contention in the lawsuit is the delay in notifying affected individuals. While the university became aware of the breach in August 2023 and completed its investigation in early December 2023, notification wasn’t sent out until January 2024. This delay allegedly prevented victims from taking immediate steps to protect themselves from potential harm.

Putting the Breach in Context: Higher Ed Hacks on the Rise

The complaint cites a 2021 FBI advisory warning that universities and colleges are “juicy targets” for ransomware attacks due to them storing vast amounts of student information.

A May 2024 report from Comparitech found that U.S. educational institutions, including K-12 schools and colleges, have experienced 3,713 data breaches since 2005, compromising over 37.6 million records. In 2023 alone, a record-breaking 954 breaches were reported, a sharp increase from 139 in 2022, with higher education bearing a disproportionate burden—accounting for 60% of these incidents and 83% of affected records.

The education sector experienced the most cyberattacks in 2021 and 2022, reports UpGuard, surpassing even healthcare and finance.

Asimily’s February 2024 analysis of cyberattacks on U.S. universities highlighted four high-profile breaches, including the University of Michigan’s August 2023 incident, where 230,000 personal records were stolen, forcing a four-day campus network shutdown.
The average downtime from ransomware attacks in education rose from 7.9 days in 2022 to 11.6 days in 2023, with costs averaging $3.65 million per breach, according to a Verizon Data Breach Investigations Report.
UpGuard’s January 2025 study of 1,500 universities revealed that 10% had at least one open Remote Desktop Protocol (RDP) port—a common entry point for attackers—while among the top 500 universities, this figure climbed to 23%.

Colleges store vast amounts of PII, from student financial records to faculty research, yet many lag in cybersecurity investment. A report from Inside Higher Ed notes that while university IT spending has soared—Moody’s reported a 70% increase in cybersecurity budgets over five years as of June 2024—smaller institutions struggle with limited resources, sometimes relying on students to manage IT systems.

Educational institutions are likely to have financial information regarding its students, based on the financial aid programs that are nearly ubiquitous in the current world of higher education. Colleges and universities may also run medical or counseling clinics, with sensitive personal information.

As cyberattacks grow more sophisticated, experts urge systemic change. Initiatives like the Higher Education Community Vendor Assessment Tool (HECVAT) show promise. UpGuard found that vendors using HECVAT averaged a security rating of 786, versus 712 for those who didn’t.

Who Can Join the Carnegie Mellon Data Breach Lawsuit?

Anyone who received a data breach notice from CMU about the incident is most likely a class member and eligible to join the lawsuit, which defines the following nationwide class:

All United States residents whose personal information was accessed or acquired during the Carnegie Mellon data breach that commenced on or about August 25, 2023.

Milberg’s Nation-Leading Cybersecurity & Privacy Practice

Milberg Partner Glen Abramson is representing the plaintiff and the class. He has served as co-lead counsel in numerous successful consumer protection, insurance, securities fraud, and product defect class actions and is part of a team at Milberg that is on the frontline of cybersecurity and data breach litigation.

Over just the past three years, Milberg has settled more than 50 class actions involving privacy violations in state and federal courts across the country as lead or co-lead counsel. No other plaintiffs’ class action firm in the country has settled and won court approval of more data breach and data privacy class action over this period.

Milberg is also responsible for developing favorable case law that many plaintiffs rely on in cybersecurity and privacy litigation, and the firm has been a staunch ally of university students, filing lawsuits to improve student athlete competition and protect students’ rights.

Since 1965, Milberg has filed thousands of class action lawsuits, recovered billions of dollars for our clients, set groundbreaking legal precedents, and used litigation to reform consumer rights.

Practice Areas

Contact Us
- First Name*
- Last Name*
- Email Address
- Phone*
- Message*
- Hidden
  intakeStatus
- CAPTCHA
  By clicking the “submit” button you agree to our legal notice and privacy policy. Submitting your legal matter to us does not create an attorney-client relationship. An attorney-client relationship will only be created in a signed, written representation agreement.
- Communication Disclosure
  By checking this box, you consent to receive emails, text messages, and phone calls from Milberg Coleman Bryson Phillips Grossman, including via automated technology, to the email address and phone number provided. For SMS and calls, you understand that consent is not a condition of receiving legal services. Milberg may share my email address and phone number with its service providers for the purpose of sending these emails and/or making these calls or texts. Message and data rates may apply. Message frequency varies. For SMS, you can opt-out by replying “STOP” to any message. For calls, you can request to be placed on our Do Not Call list.
- Hidden
  Consent - Privacy Policy
  Yes