TL;DR: Monroe University suffered a cyberattack in December 2024. Hackers spent two weeks (December 9-23) inside their systems, stealing data on 320,973 people—Social Security numbers, passports, medical records, financial info, passwords, everything. Monroe discovered this in September 2025 but didn't notify victims until January 2, 2026. That's 13 months after the breach and 9 months after discovery. A class action lawsuit is now filed. This is Monroe's second major hack—they got ransomware'd in 2019 too.
What Was Stolen
Monroe University disclosed that stolen data "varied by person" but potentially includes:[1]
- Social Security numbers
- Driver's license numbers
- Passport numbers
- Government ID numbers
- Medical information
- Health insurance information
- Email usernames and passwords
- Financial account information
- Student data
- Dates of birth
That's everything an identity thief needs. SSN + passport + driver's license = synthetic identity fraud. Medical records add blackmail potential. Passwords mean account takeovers across any site where victims reused them.
The Timeline That Should Make You Angry
- December 9-23, 2024: Hackers inside Monroe's systems for two full weeks
- September 30, 2025: Monroe finally discovers the breach—9 months later
- January 2, 2026: Monroe mails notification letters—13 months after the breach
Nine months to even notice someone was in your systems. Then three more months to tell victims. Meanwhile, stolen data circulates on dark web markets, identities get cloned, and victims have no idea they're at risk.[2]
Some state laws require notification within 30-45 days of discovery. Monroe took about 90 days just for that part.
Who's Affected
Monroe University is a for-profit university with campuses in New York City and the Caribbean. The 320,973 affected individuals likely include:[3]
- Current students
- Former students (going back years)
- Faculty and staff
- Applicants
- Anyone whose data Monroe collected for enrollment, financial aid, or healthcare services
If you've ever attended Monroe, applied, worked there, or used their health services—check your credit and assume your data is compromised.
Monroe's Second Major Breach
This isn't Monroe's first rodeo. In 2019, when the school operated as Monroe College, they got hit with ransomware. Attackers demanded $2 million in Bitcoin.[1]
After a ransomware attack in 2019, you'd expect improved security. Instead, five years later, attackers spent two weeks inside their systems without detection.
The name changed from Monroe College to Monroe University. The security apparently didn't.
Class Action Filed
Plaintiff Rosemary Maysonet filed a class action lawsuit in January 2026:[4]
Maysonet v. Monroe University Ltd., Case No. 1:26-cv-00344, U.S. District Court for the Southern District of New York
The lawsuit alleges Monroe failed to implement adequate security measures and violated notification requirements by waiting so long to inform victims.[4]
Education Sector Under Siege
Monroe isn't alone. According to GuidePoint Security, ransomware attacks on educational institutions jumped 32% from 196 incidents in 2024 to 259 in 2025.[5]
Universities make attractive targets:
- Massive data stores — SSNs, medical records, research data
- Legacy systems — Old software, underfunded IT
- Decentralized access — Thousands of users, many endpoints
- Research funding — Valuable intellectual property
- Paying customers — Institutions often pay ransoms to restore operations
What To Do If You're Affected
Freeze Your Credit
Don't just monitor—freeze. Contact Equifax, Experian, and TransUnion. Free to freeze and unfreeze. Monroe's free monitoring is useless if someone already has your SSN.
Change Passwords Everywhere
If you reused your Monroe email password anywhere else, change it now. Use unique passwords per site. Password manager required.
Watch for Medical ID Theft
Medical records were stolen. Review explanation of benefits (EOB) statements for services you didn't receive. File disputes immediately.
File IRS Identity Protection PIN
With SSNs stolen, tax fraud is likely. Request an Identity Protection PIN from the IRS before next tax season.
Monroe's Response
Monroe is offering affected individuals one year of credit monitoring through Cyberscout, including fraud alerts and credit file change notifications.[1]
One year of monitoring for data that will circulate forever. SSNs don't expire. Passports don't get new numbers easily. One year is a PR gesture, not protection.
The Bottom Line
Monroe University had two weeks with hackers in their systems and didn't notice. They took nine months to realize it happened, then three more months to tell victims. This is their second breach in five years.
If you have any connection to Monroe—freeze your credit now. Don't wait for their letter. Don't rely on their monitoring. Assume your data is already being sold.
320,973 people trusted Monroe with their most sensitive information. That trust was obviously misplaced.
References
- BleepingComputer - Monroe University Says 2024 Data Breach Affects 320,000 People (January 2026)
- Cybernews - 320K+ Exposed in Monroe University Hacker Attack
- Bank Info Security - For-Profit Monroe University Notifies 321,000 of Data Theft
- Top Class Actions - Monroe University Data Breach Class Action
- Cyber Insider - Monroe University Suffers Data Breach Impacting 320,000 People