A Princeton University graduate has filed a federal class-action lawsuit accusing the Ivy League institution of negligence and breach of contract after a phone-based phishing attack exposed personal data belonging to students, parents, alumni, donors, and staff members.
The suit, filed Nov. 24 in U.S. District Court in New Jersey, alleges the university failed to secure and encrypt sensitive information stored in its University Advancement database — including birth dates, home addresses, family details, employment histories, giving records, and wealth indicators — allegedly leaving tens of thousands of people vulnerable to identity theft and long-term financial and privacy risks.
“We believe this claim is without merit, and we plan to contest it vigorously,” a spokesman for Princeton University said on Wednesday.
The plaintiff in the lawsuit, Gary Penna, a Massachusetts resident and Princeton alum and past donor, seeks to represent a nationwide class of individuals whose data “may have been compromised” when cybercriminals infiltrated the system Nov. 10. Princeton officials have said the breach stemmed from a targeted phone phishing attack on an employee with access to the database, and that it is working with law enforcement and outside cybersecurity experts.
Be more informed and empowered with the facts. Never miss a story. Sign up for our free newsletter. →
Allegations of negligence and a failure to meet basic standards
The 63-page complaint alleges that the univers
TPRM report: https://www.rankiteo.com/company/princeton-university
"id": "pri1764403231",
"linkid": "princeton-university",
"type": "Breach",
"date": "2025-11-27T00:00:00.000Z",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'incident': {'affected_entities': [{'customers_affected': 'Tens of Thousands '
'(Students, '
'Parents, Alumni, '
'Donors, Staff)',
'industry': 'Higher Education',
'location': 'Princeton, New Jersey, USA',
'name': 'Princeton University',
'size': None,
'type': 'Educational Institution'}],
'attack_vector': 'Phone-based Phishing (Targeted Attack on '
'Employee)',
'data_breach': {'data_encryption': 'No (Allegedly Unencrypted in '
'Database)',
'data_exfiltration': True,
'file_types_exposed': None,
'number_of_records_exposed': 'Tens of Thousands '
'(Exact Number '
'Undisclosed)',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (Identity Theft '
'Risk)',
'type_of_data_compromised': ['Personally '
'Identifiable '
'Information (PII)',
'Financial/Wealth '
'Data',
'Employment '
'History']},
'date_detected': '2023-11-10',
'description': 'A targeted phone-based phishing attack on a '
'Princeton University employee compromised the '
'University Advancement database, exposing '
'sensitive personal data of students, parents, '
'alumni, donors, and staff. The exposed data '
'includes birth dates, home addresses, family '
'details, employment histories, giving records, '
'and wealth indicators, putting tens of thousands '
'at risk of identity theft. A federal '
'class-action lawsuit has been filed alleging '
'negligence and breach of contract by the '
'university.',
'impact': {'brand_reputation_impact': ['Negative Publicity',
'Allegations of '
'Negligence',
'Breach of Trust with '
'Alumni/Donors'],
'conversion_rate_impact': None,
'customer_complaints': ['Federal Class-Action Lawsuit '
'Filed (Nov. 24, 2023)'],
'data_compromised': ['Birth Dates',
'Home Addresses',
'Family Details',
'Employment Histories',
'Giving Records',
'Wealth Indicators'],
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'High (Long-term Financial and '
'Privacy Risks for Affected '
'Individuals)',
'legal_liabilities': ['Class-Action Lawsuit '
'(Negligence & Breach of '
'Contract)',
'Potential Regulatory Scrutiny'],
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': ['University Advancement '
'Database']},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': 'Potential '
'(Alleged in '
'Lawsuit)',
'entry_point': 'Phone-Based Phishing '
'(Employee with '
'Database Access)',
'high_value_targets': ['University '
'Advancement '
'Database'],
'reconnaissance_period': None},
'investigation_status': 'Ongoing (Collaboration with Law '
'Enforcement & Cybersecurity Experts)',
'motivation': ['Financial Gain (Potential Identity Theft)',
'Data Theft for Dark Web Sale'],
'post_incident_analysis': {'corrective_actions': None,
'root_causes': ['Human Error '
'(Phishing '
'Vulnerability)',
'Inadequate Data '
'Encryption',
'Lack of Multi-Factor '
'Authentication (MFA) '
'for High-Risk '
'Access']},
'references': [{'date_accessed': None,
'source': 'Class-Action Lawsuit Filing (U.S. '
'District Court, New Jersey)',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': ['Class-Action '
'Lawsuit (Filed Nov. '
'24, 2023)'],
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': ['Public Statement '
'(Denial of Negligence, '
'Nov. 2023)'],
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': ['Cybersecurity Experts '
'(External)']},
'title': 'Princeton University Phishing Attack Exposes Personal '
'Data of Students, Alumni, and Staff',
'type': ['Data Breach', 'Phishing Attack'],
'vulnerability_exploited': ['Human Error (Phishing '
'Susceptibility)',
'Lack of Data Encryption in '
'University Advancement Database']}}