Class-action lawsuit claims Princeton failed to protect sensitive data in major security breach

A Princeton University graduate has filed a federal class-action lawsuit accusing the Ivy League institution of negligence and breach of contract after a phone-based phishing attack exposed personal data belonging to students, parents, alumni, donors, and staff members.

The suit, filed Nov. 24 in U.S. District Court in New Jersey, alleges the university failed to secure and encrypt sensitive information stored in its University Advancement database — including birth dates, home addresses, family details, employment histories, giving records, and wealth indicators — allegedly leaving tens of thousands of people vulnerable to identity theft and long-term financial and privacy risks.

“We believe this claim is without merit, and we plan to contest it vigorously,” a spokesman for Princeton University said on Wednesday.

The plaintiff in the lawsuit, Gary Penna, a Massachusetts resident and Princeton alum and past donor, seeks to represent a nationwide class of individuals whose data “may have been compromised” when cybercriminals infiltrated the system Nov. 10. Princeton officials have said the breach stemmed from a targeted phone phishing attack on an employee with access to the database, and that it is working with law enforcement and outside cybersecurity experts.

Stay informed with reporting that puts people and accountability first.
Sign up for our free newsletter. →

Allegations of negligence and a failure to meet basic standards

The 63-page complaint alleges that the university collected and stored highly sensitive information, yet failed to follow basic industry norms about encryption, data deletion, employee training, and network monitoring.

Penna accuses Princeton of maintaining personal data “in an unencrypted and identifiable form,” failing to monitor its systems for intrusions, failing to train staff on cybersecurity protocols, and failing to delete information it no longer needed, despite warnings that universities are increasingly targeted by cybercriminals.

The lawsuit argues that Princeton’s centralization of alumni and donor information made individuals “foreseeable victims” of any lapse in cybersecurity.

The suit devotes several pages to detailing standards from the Federal Trade Commission, the National Institute of Standards and Technology, and the Cybersecurity and Infrastructure Security Agency, all of which recommend encryption, multi-factor authentication, network monitoring, and regular employee training. Princeton’s alleged failure to meet those benchmarks, the complaint argues, constitutes negligence.

Because universities and their donors have become high-value targets for criminal groups, the complaint says, Princeton should have been acutely aware of the danger.

Breach of implied contract and unjust enrichment claims added

Beyond negligence, Penna accuses Princeton of breach of implied contract, arguing that the act of enrolling, donating, or working with Princeton constitutes an agreement that the university will safeguard personal information.

According to the complaint, Princeton “entered into contracts with its students, alumni, faculty, and donors to safeguard the PII (personally identifiable information) that was to be provided to it,” yet failed to uphold that obligation by allowing unauthorized access and by waiting days to notify affected people.

The lawsuit also includes a claim of unjust enrichment, arguing that Princeton benefited financially by underinvesting in cybersecurity while continuing to collect vast amounts of personal data from its community. By failing to spend “the costs it reasonably should have expended on data security,” the university effectively enriched itself while exposing class members to risk, the filing claims.

The suit argues that Princeton should now pay out those savings to help compensate victims, potentially through a “constructive trust.”

We uncover stories no one else is telling. Help us keep digging. For a limited time, your donation is TRIPLE-matched, thanks to the national NewsMatch program. →

Risk of long-term harm

Because the information accessed includes data that cannot be changed — names, birth dates, family details, donation histories, demographic profiles — the suit says class members now face years of heightened risk.

The filing devotes substantial space to describing how exposed personal data circulates on the dark web in so-called “Fullz” packages, which combine multiple data points to allow criminals to commit fraud, open accounts, file false tax returns, or impersonate victims. It argues that stolen information “may be sold and resold in perpetuity” and that victims might not discover fraud for years.

Penna allegedly spends hours each week monitoring accounts and researching the breach. The complaint seeks monetary damages for time lost, emotional distress, and the diminished value of personal data, which it depicts as a commodity with economic worth.

Injunction seeks sweeping overhaul of Princeton’s data practices

In addition to financial damages, the lawsuit seeks court-ordered reforms, including:

• Mandatory annual third-party security audits
• Routine database scanning and monitoring
• Comprehensive employee training
• Secure deletion of unnecessary data
• Lifetime credit monitoring and identity theft protection for all affected individuals

The complaint argues that Princeton “still possesses” the compromised information and that there is “no reason to believe” its current security measures are any stronger than they were before the intrusion.

Data breaches at universities have grown more common in recent years, and Penna’s suit notes similar incidents at Columbia, Stanford, Penn, and Georgetown.

The Princeton attack comes on the heels of a major Nov. 1 breach at the University of Pennsylvania, where a group claiming responsibility posted thousands of internal files, including donor memos, family details, talking points, bank records, and other sensitive information. The group said it extracted data on 1.2 million Penn students, alumni, and donors, though university officials dispute that figure, calling it “mischaracterized and overstated.”

Columbia University also faced a significant incident this past summer, when a hacker triggered a days-long IT outage and accessed roughly 460 gigabytes of data, including at least 1.8 million Social Security numbers tied to faculty, staff, applicants, students, and their families.