SU agrees to settlement over 2020 data breach
Get the latest Syracuse news delivered right to your inbox.
Subscribe to our newsletter here.
Current and former Syracuse University students affected by a 2020 data breach may be entitled to up to $10,000 for “extraordinary losses” following the settlement of a class action lawsuit.
The United States District Court for the Northern District of New York gave preliminary approval on Dec. 14 to settle the class action lawsuit, Bloomberg Law reported. In addition to the extraordinary losses, 9,800 class members may be entitled to up to $1,000 for “ordinary losses.”
The lawsuit, which was initially filed in the Onondaga County Supreme Court on Sept. 2, 2021 by Plaintiff Trevor Miller, named SU as the defendant. Miller, an SU undergraduate student during the data breach, alleged the university had “insufficient cybersecurity measures in place” to protect the sensitive information of students, alumni and applicants, according to the memorandum.
The data breach was a result of a successful information “phishing” attack against a university employee. As a result, cybercriminals accessed sensitive information, including Social Security numbers, between Sept. 24 and 28, 2020.
“We have reached a settlement that Syracuse believes is beneficial to those who may have been affected,” wrote Sarah Scalese, senior associate vice president for university communications, in a statement to The Daily Orange.
The university waited for over four months to alert students whose information had been compromised. SU hired a firm that specializes in data security in October 2020 to assist with the investigation. The investigation was completed in January 2021, but the firm claimed it was unable to confirm whether files containing names and Social Security numbers had been accessed.
“Following the 2020 incident, Syracuse notified impacted parties, conducted a full investigation, facilitated identity and credit monitoring, and implemented a variety of additional safeguards to help reduce the likelihood of a similar incident occurring again,” Scalese wrote in the statement.
The affected students were sent a letter from SU on Feb. 4, 2021, making them aware of the data breach and offering them a free year of Experian IdentityWorks, an identity protection support service, the memorandum stated.
On Feb. 3, 2022, SU filed a motion to dismiss the suit for failure to state a claim, which the court partially dismissed. The memorandum states that both parties exchanged documents and participated in settlement negotiations throughout the process.
Both parties notified the court that they had reached a tentative settlement in principle on July 28, 2023, and “finalized” the settlement terms in December. SU will also pay the costs and expenses relating to notice and settlement administration.
Cindy Zhang | Digital Design Director
The plaintiff and counsel — Finkelstein, Blankinship Frei-Pearson and Garber, LLP and Keller Postman, LLC. — decided to settle the lawsuit since the settlement “resolves” Miller’s claims and “provides relief” to the class affected, the memorandum stated. Accounting company Postlethwaite & Netterville was selected as the settlement administrator.
Miller’s representation did not provide a comment to The D.O.
The memorandum states SU maintained denial of any allegations of “wrongdoing or negligence” or “failure” to protect the sensitive information throughout the lawsuit’s process, including in the memorandum filing for settlement.
SU agreed to integrate “meaningful information security improvements” and provide “sufficient documentation” that proves it has either implemented or will implement security-related measures, according to the memorandum.
After The D.O. requested more information regarding the new security measures, the university responded that it does not share the specifics of protection methods in order to prevent bad actors from using the knowledge to “propagate system-level and social engineering attacks.”
“(SU) is committed to information security and has taken action to minimize our vulnerability to bad actors,” Scalese wrote. “The University continually monitors and updates its methods of protecting user information and follows commonly accepted standards and information security controls.”