Monroe University has confirmed that a data breach discovered in 2024 has impacted more than 320,000 people, making it one of the largest higher-education data security incidents disclosed in recent years.

According to the university, unauthorized access to its internal systems occurred between December 9 and December 23, 2024. While the intrusion itself lasted only a few weeks, determining its full scope took considerably longer. After a months-long forensic investigation and data review, Monroe concluded in September 2025 that the personal information of approximately 320,973 individuals may have been exposed. Formal notification letters to those affected began going out in early January 2026.

The compromised data varies by individual but includes highly sensitive information. In its breach notification, Monroe stated that exposed details may include full names, dates of birth, Social Security numbers, driver’s license or passport numbers, financial account information, online account credentials, health insurance data, and student records. Not everyone impacted had the same type of information accessed, but the range of data involved raises serious concerns about potential identity theft and financial fraud.

Monroe University said it discovered suspicious activity on its network in late 2024 and immediately took steps to secure its systems. The university also reported the incident to law enforcement and hired external cybersecurity experts to determine what happened and what information was affected. Despite the sensitivity of the exposed data, Monroe claims there is currently no evidence that the information has been misused.

As part of its response, the university is offering one year of free credit monitoring and identity protection services to individuals whose Social Security numbers were involved. Affected people are also being encouraged to monitor their credit reports, bank statements, and insurance records closely for any signs of suspicious activity. Monroe has provided guidance on placing fraud alerts or credit freezes with major credit bureaus as an added precaution.

The breach highlights ongoing cybersecurity challenges facing colleges and universities, which often store vast amounts of personal and financial data while operating with limited IT security resources. Higher-education institutions have increasingly become targets for cybercriminals, particularly ransomware groups and data-stealing attackers, due to the high value of student and employee records.

For those impacted, the delayed notification timeline may be especially frustrating. While the attack occurred in December 2024, many individuals did not learn their information was involved until more than a year later. Data-breach experts note that lengthy investigations are common in large incidents, but delays can increase anxiety for victims who are unsure whether their personal data has already been compromised elsewhere.

Monroe University said it is reviewing and strengthening its security controls to prevent similar incidents in the future. Still, the breach serves as another reminder that even well-established educational institutions are not immune to large-scale cyberattacks—and that the consequences can affect hundreds of thousands of people long after the initial intrusion.