On Saturday morning, someone accessed NYU's IT systems without authorization and took control of the systems that direct web traffic to NYU's website. For a period of about three hours, traffic to the www.nyu.edu website was instead directed to a webpage that the unauthorized actor posted on GitHub. The March 22 incident at NYU appears to involve the same actor involved in a similar incident at another university.

The University, which is committed to safeguarding its IT systems and to protecting personal data, responded immediately, working with a cybersecurity specialist consultant to regain control of the system and redirect traffic back to its real website. We promptly reported the incident to law enforcement authorities. And the webpage that the unauthorized actor created was taken down. The work of NYU's IT unit and the cybersecurity consultant continues, focusing on ensuring that our computer network is secure, evaluating the nature and scope of the incident, and using those findings to assess potential enhancements to NYU's cybersecurity infrastructure. They are working as swiftly as possible to complete their review so that NYU can provide notice, in accordance with applicable law, with respect to personal information that was subject to unauthorized access in connection with this incident. The law enforcement investigation also continues.

The charts posted by the unauthorized actor, purporting to show certain admissions data, were both inaccurate and misleading. NYU scrupulously complies with the law as set forth by the Supreme Court's 2023 SFFA ruling: at no time during the admissions review process does NYU look at the race of the candidates for admission, either individually or in the aggregate. Indeed, at no point during the admissions review process are admissions counselors able to see the race of the applicant.

NYU has established a hotline (855-549-2511) to receive and respond to questions about the incident. Once the investigation is complete, the University will provide notice, in accordance with applicable law, with respect to personal information that was subject to unauthorized access in connection with this incident, and the hotline will continue to be available as a resource to answer questions.