Sign in Subscribe
2 min read

Lawsuits Claim Princeton Put 100K People at Risk in Phone-Phishing Data Breach

Lawsuits Claim Princeton Put 100K People at Risk in Phone-Phishing Data Breach

By The Garden State Gazette Staff

Princeton University is facing two proposed class-action lawsuits that accuse the Ivy League school of failing to protect personal data for more than 100,000 people after a November cyber incident tied to a phone-based phishing scam.

According to court filings, the lawsuits say Princeton did not put in place basic cybersecurity safeguards, allowing attackers to access the Princeton University Advancement database on Nov. 10, 2025 by tricking an employee over the phone.

What was accessed

The Advancement database is used for fundraising and alumni engagement and contains biographical information on a wide range of people connected to the university, including:

  • All alumni and former students (including those who enrolled but did not graduate)
  • Alumni spouses and partners
  • Widows and widowers of alumni
  • Any university donor
  • Parents of current and former students
  • Former and current employees, including faculty

Princeton has said on its website that it believes the database does not contain passwords, Social Security numbers, credit card data, or bank account records.

But one lawsuit, filed Nov. 18 in Florida by plaintiff David Ramirez, claims the breach exposed:

  • Names
  • Email addresses
  • Telephone numbers
  • Home and business addresses
  • Information on fundraising activities and donations to Princeton

The complaint argues that “cybercriminals have accessed and obtained everything they need to commit identity theft and wreak havoc on the personal lives of thousands of individuals,” according to attorney Leanna A. Loginov.

A second lawsuit, filed the same day by Henggao Cai, says Princeton made a critical error by centralizing so much personal data in one place, making it easier for scammers to launch targeted attacks once the database was compromised.

How the breach happened

Princeton has attributed the incident to phone phishing — a scam where someone is persuaded over the phone to hand over login or other sensitive information. In this case, the attack targeted a university employee with normal access to the Advancement database.

Key details from the university’s own account:

  • The intrusion began midday on Nov. 10
  • It was blocked in less than 24 hours
  • The university says it has not heard from the attacker or attackers
  • As of the latest update, no arrests have been announced

Princeton has also said it has “no reason” to believe the breach was politically motivated or linked to cyber incidents at other universities. It may take several weeks to determine exactly what information was accessed.

Princeton’s response to the lawsuits

In a statement responding to questions from NJ Advance Media, Princeton spokesperson Jennifer Morrill said the university plans to fight the claims.

“We believe these claims are without merit, and we plan to contest them vigorously,” Morrill said.

The lawsuits seek class-action status on behalf of everyone whose personal data may have been stored in the Advancement database and potentially exposed in the attack.

This article is based entirely on court filings and Princeton University’s public statements as reported by NJ Advance Media and Government Technology as of November 28, 2025. If additional verified information becomes available from official sources, The Garden State Gazette will update this report.