The Columbia hack is a much bigger deal than Mamdani's college application

The Verge

3 days ago

On June 24th, Columbia University experienced an hourslong system-wide outage. Its internal email service went down. Students couldn't log in to the platform where professors post assignments and course materials. Library catalogs went offline. Zoom was unavailable. Every single service that required Columbia's official authentication service was affected, but maybe most eerily, images of President Donald Trump appeared on some screens across the campus. During that time, the personal data of at least every person who applied to Columbia between 2019 and 2024 was stolen.
It's not yet clear the full scope of the breach, according to Columbia. But someone claiming to be the hacker almost immediately began shopping that data around, giving 1.6 gigabytes of admissions records 'dating back decades' to Bloomberg. And that's supposedly just the tip of the iceberg. The self-identified hacker said they had stolen 460 gigabytes, including 1.8 million Social Security numbers, financial aid package information, and employee pay stubs — the result of two months burrowing into Columbia's servers before finally gaining the highest level of access. Bloomberg confirmed details of the Columbia data it received with eight current and former students; they were accurate. Millie Wert, a spokesperson for Columbia, referred The Verge to the university's previous statements on the hack.
These are three politically motivated hacks of higher education, focused on the admissions process
The hack appears to be politically motivated: the purported hacker told Bloomberg as much, saying they stole the data because they wanted to know whether Columbia had continued to engage in 'affirmative action,' admissions policies meant to improve opportunities for groups that colleges had once discriminated against, after the practice was barred in 2023 by the Supreme Court.
The Republican war on affirmative action is part of a broader push to undermine the Civil Rights Act, which is barely disguised as attacks on 'wokeness' and 'DEI.' Shortly after taking office, Trump signed an executive order banning 'illegal discrimination,' which targeted so-called diversity, equity, and inclusion programs, a fairly broad umbrella of initiatives meant to make sure underrepresented groups don't face barriers in schools and workplaces. In the broader scheme, the Columbia University hack figures as a wildcat attempt at enforcing the right-wing ideological project of bringing back open racism.
The attack on Columbia is, in this context, a remarkable story. Moreover, it comes on the heels of cyberattacks on New York University and the University of Minnesota, both of which the alleged hacker took credit for when speaking to Bloomberg. In March, someone stole NYU applicants' personal details, including financial aid, 'dating back to at least 1989,' according to Washington Square News. Similarly, in July 2023, someone posted records from the University of Minnesota dating to the 1980s, and those records included 7 million Social Security numbers.
According to Bloomberg's source, these are three politically motivated hacks of higher education, focused on the admissions process and containing personal information protected by law. Moreover, the supposed hacker — who, if we take them at their word, is working alone and has an ax to grind about the supposed favored status of racial minorities in American society — specifically sought out information about self-reported race and ethnicity, and has now essentially acquired lists of people categorized by race.
There has been precious little reporting on the Columbia hack
And yet, there has been precious little reporting on the Columbia hack. Wired hasn't covered it, and, until this story, neither has The Verge. Nor have The Chronicle of Higher Education, CyberScoop, 404 Media, TechCrunch, or Krebs on Security. These — including The Verge — are small to medium-size entities, and there's any number of possible reasons why they didn't pick it up. (On our end, it was partly because we were short-staffed during a national holiday, and partly because we didn't immediately piece together how extraordinary this particular hack is.) But coverage at the much bigger, well-resourced institutions is also scanty. The Wall Street Journal passed on the story. Reuters has a brief on the initial outage; AP has a short write-up as well, which The Washington Post ran as part of their syndication deal.
The most extensive reporting comes from Bloomberg and The New York Times.
Here is how The New York Times has elected to cover it:
For those of us keeping score at home, that's two stories about the hack and its overall political implications, both of which are less informative than Bloomberg; one story using hacked data to smear a mayoral candidate; and two stories jerking off.
As a result of the Mamdani leak, The New York Times has one of the best leads on the identity of the hacker
Zohran Mamdani, as a high school senior, marked himself as both Asian and Black/African American on his college application, adding the clarifying note 'Uganda' next to the latter, according to hacked data passed to the Times. He is a South Asian man born in Uganda. He did not attend Columbia University.
It's not much of a story. But as a result of the Mamdani leak, The New York Times has one of the best leads on the identity of the hacker. The Times identifies Jordan Lasker as the source of Mamdani's college application (though bafflingly only by his internet alias 'Crémieux'), and he likely has some idea about where he got it from. Bloomberg obviously has its own lead — and you'd think the two would be competing to get more information about this politically motivated hack out to the general public.
Maybe we will see some impressive reporting shortly and someone is chasing it right now. Or perhaps there is simply no one at the Times who can report out the story, which now involves three major data breaches. Certainly the handling of Mamdani's college application makes it look like the Times is either unfamiliar with or unwilling to engage in best practices around hacked materials. It does, however, strain credulity to think this particular newspaper would be unaware of those standards.
Had reporters been played by hackers? (Yes.)
In 2016, The New York Times ran a series of stories about Hillary Clinton's emails, which had been hosted on a private server — not recommended, for security reasons — while she was secretary of state. Following a relentless news cycle about her emails, a Democratic National Committee email server was hacked. WikiLeaks published almost 20,000 stolen emails, notably spending October dropping batches of damaging emails from Clinton's campaign chair. As early as June 2016, the media already had a pretty good idea that the hacker was actually the Russian government, but went all out on the emails anyway. (In 2018, a US grand jury indicted 12 Russian intelligence officers in connection with the hack.) The extensive coverage of those hacked emails — from the Times and elsewhere — likely contributed to Clinton's loss to Donald Trump in the 2016 presidential election, even though the emails were nothingburgers. Does anyone even remember the contents?
Journalists have long struggled over balancing newsworthiness and sourcing — the 2014 North Korean hack of Sony Pictures produced a spectacular revelation about Hollywood's war on Google, but also gossip intended to humiliate Amy Pascal, where reporters played along and effectively did King Jong Un's bidding. But the WikiLeaks-DNC emails incident led to intense media navel-gazing. Had reporters been played by hackers? (Yes.) Was there a way to avoid that in the future? (Yes.) Journalists seriously reevaluated how to treat hacked materials, and how much emphasis to put on them.
This is why coverage of the emails from Hunter Biden's laptop was so muted. And when the Trump / Vance presidential campaign of 2024 was hacked, publications were careful about how to cover it. Though reporters at a variety of outlets, including The New York Times and The Washington Post, received offers of internal documents, they largely declined to run them. Instead, papers reported on the details of the hack itself, which was allegedly performed by Iranian state actors. A dossier of hacked information on vice presidential nominee JD Vance was published by independent journalist Ken Klippenstein, though its spread was throttled by X because it contained personal information. (Previously, X's owner, Elon Musk, claimed that the suppression of stories about the Hunter Biden laptop was evidence that conservative speech was being stifled.)
Hackers don't make journalistic assignments. Journalists do
In justifying the coverage decisions around leaked materials, there was a common thread: Hackers don't make journalistic assignments. Journalists do. No news organization — including this one — would make a blanket rule against hacked materials. Instead, the idea would be to be judicious about what was being leaked and by who, giving readers information on what the hack was meant to accomplish if the information in it was found to be newsworthy.
The Times' coverage of the hacked Mamdani material flies in the face of the editorial decisions around Hunter Biden's emails and the hacked documents from the Trump campaign. The choice to use the material is inconsistent with previous decisions, but that's not all. The framing of the story might as well have been dictated by the hacker, who has it out for affirmative action, and the internet eugenicist who supplied the material.
I reached out to The New York Times to request comment on how they'd identified the source and framed the story. Spokeswoman Danielle Rhoades Ha declined to answer those questions, and sent a statement that read, in part, 'Reporters receive tips from people with biases and bad motives all the time, but we only publish such information after we've independently verified it, confirmed it, done our own reporting on it and judged it to be newsworthy.'
The context in which these actors are going after Columbia is important as well. The Trump regime has come at the Ivy League broadly over diversity, equity, and inclusion programs. It has singled out Columbia specifically, leveraging accusations of antisemitism over the university's handling of protests against the Israeli attacks on Gaza. Trump's ICE has targeted student protesters, disappearing them into faraway facilities.
Frankly, we will have gotten off lightly if 'Mamdani Once Claimed to Be Asian and African American' is the only hit the Columbia hacker manages to land with their stolen data
The institution has not exactly been defiant about the attacks on its students — days after the ICE raid that took Mahmoud Khalil, the university expelled, suspended, or revoked the degrees of students who occupied a campus building last spring as part of a protest. This did not pacify the Trump regime, which has frozen $400 million of funding for Columbia University and is currently negotiating a settlement with the university.
The timing of the hack, given the university's relationship with the Trump regime, raised my eyebrows. A hacker who is also a Trump follower might attempt to pressure Columbia with stolen data, perhaps via strategic leaks to major newspapers, in order to get it to capitulate to Trump's pressure campaigns.
Who did the hacking and how did it happen? What was stolen, and where is it being stored? Is any of it being sold? What other schools are being targeted? How will this stolen information place pressure on Columbia? These questions all seem like fertile ground for reporting. It would be nice if The New York Times was interested in that story. But at the absolute bare minimum, when it ran its bizarre story about Mamdani's college application, it should have made the political motivations of the hacker clear to the reader.
If it's true that the Times allowed itself to become the mouthpiece of an anti-affirmative action hacktivist, it is a travesty. But frankly, we will have gotten off lightly if 'Mamdani Once Claimed to Be Asian and African American' is the only hit the Columbia hacker manages to land with their stolen data. They may well be poised to do much more damage, and at a time when the university has already been brought to its knees.
There are as yet no indications that the hacker has anything other than admissions data, which is something of a relief, given how much stuff there is at any given university. In fact, speaking of journalistic ethics: even though journalism does not have one single body that upholds professional ethics, The Columbia Journalism Review — housed at Columbia University, alongside a renowned journalism school and the prestigious Pulitzer Prizes — is widely acknowledged as a leading institution in setting and guiding norms in the profession. One might think of the Columbia hack as an indirect attack on journalists and journalistic institutions; it is possible the hacker has data that could be weaponized in a direct one.
I am struggling to understand why I can find so little reporting on something that seems awfully newsworthy. Look, I'm the in-house finance nerd at the phones website; I rely on people who know how computers work to do reporting on hacks. But here we have a politically motivated hack of three universities, data from which has been used by the nation's most prestigious newspaper to attempt a hit job on a Democratic mayoral candidate, and precious little else. I get that we all have hacking fatigue — it feels like every other week, some major business gets rekt — but the Columbia University story is different. Is anyone going to treat it that way?