TL;DR: Columbia University’s 2025 breach exposed 1.6 gigabytes of sensitive data from 2.5 million student applications, underscoring how weak identity verification, legacy MFA, and inherited vendor trust continue to make universities attractive targets, according to 1Kosmos. Identity-first security now matters because campus risk is being driven by who can authenticate, not just which systems can be reached.
NHIMG editorial — based on content published by 1Kosmos covering Columbia University’s breach and higher education identity security: Campus identity security gaps are putting student data at risk
By the numbers:
- Attacks targeting universities have surged nearly 70% since 2023.
- Institutions are now facing an average of over 2,500 cyberattack attempts each week.
Questions worth separating out
Q: What fails when university identity proofing is too weak?
A: Weak proofing turns account recovery into an attacker entry point.
Q: Why do universities need phishing-resistant authentication for high-risk access?
A: Because conventional MFA still depends on credentials or prompts that attackers can intercept, fatigue, or replay.
Q: How do campus identity controls fail in distributed environments?
A: They fail when the institution trusts the network, the device, or the help desk more than the actual identity.
Practitioner guidance
- Harden account recovery workflows Replace knowledge-based reset steps with stronger proofing for staff, faculty, and students, especially for help desk initiated recovery.
- Prioritise phishing-resistant authentication Move privileged, registrar, finance, and research access to FIDO2 or equivalent phishing-resistant methods before expanding coverage to the wider campus.
- Review third-party identity lifecycles Map every vendor account with access to student, research, or administrative systems, then recertify and offboard those identities on a defined cadence.
What's in the full article
1Kosmos's full article covers the operational detail this post intentionally leaves for the source:
- The help desk verification pattern used to reduce password-reset abuse in university environments.
- Step-by-step identity-first access controls for campus users, faculty, and third-party providers.
- Operational guidance for integrating biometric verification and passwordless login into existing university systems.
- Compliance considerations around FERPA, HIPAA, and federal identity assurance standards.
👉 Read 1Kosmos's analysis of the Columbia University breach and campus identity risk →
Higher education identity gaps: why campus controls keep failing?
Explore further
Identity verification, not perimeter control, is the decisive weakness in higher education. Universities are open by design, so the real security question is whether the institution can prove who is asking for access at the moment of request. Columbia’s breach shows what happens when verification is weak enough for attackers to walk through normal recovery and login workflows. The practitioner conclusion is that campus security programmes must treat identity proofing as a primary control, not an administrative function.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the same report.
A question worth separating out:
Q: Who is accountable when a university vendor identity is compromised?
A: The university remains accountable for the access it has granted, even when the entry point is a third party. That means external identities need the same lifecycle controls as internal ones, including review, revocation, and role scoping. If vendors can keep access after the relationship changes, the institution inherits unmanaged exposure.
👉 Read our full editorial: Columbia University breach shows higher education identity gaps