Trocaire College is facing three class-action lawsuits following a cyberattack that exposed the personal data of over 23,000 individuals, including Social Security numbers. Although the breach was detected in March 2025, the college did not begin notifying affected students and staff until January 2026, leading to allegations of gross negligence regarding security and transparency.

The private Buffalo-based college is currently defending itself against legal claims that it failed to implement industry-standard cybersecurity measures to protect sensitive information. While the college president stated there is currently no evidence that the stolen data has been misused, the institution has advised potential victims to remain vigilant by monitoring their financial statements and credit reports. The lawsuits argue that this advice comes too late, as the delay in notification left thousands of people vulnerable to identity theft for nearly a year.

Official filings indicate that the breach was first identified on March 13, 2025. Following the discovery, Trocaire engaged independent experts to conduct a forensic investigation to determine the extent of the compromised data. Legal representatives for the college maintain that the internal review was not completed until December 2025 and that they moved quickly to issue notices once the specific victims were identified. However, critics and plaintiffs argue that a ten-month gap between detection and disclosure is unacceptable given the high stakes of the data involved.

The compromised information includes Social Security numbers, which the lawsuits describe as a gold mine for cybercriminals looking to open fraudulent accounts or file false tax returns. One plaintiff, a former employee, reported experiencing a sharp increase in spam communications following the incident. Legal filings emphasize that this type of data is frequently traded on the dark web, where encrypted networks allow criminals to sell personal identifiers while remaining anonymous.

Legal action was prompted by what victims describe as a lack of urgency from the college administration. While Trocaire began mailing notification letters to individuals on January 16, 2026, state regulators in Maine and New Hampshire were not formally briefed until late January. The lawsuits contend that immediate notification is the only way for victims to take meaningful steps to freeze their credit or protect their assets before damage occurs.

Trocaire continues to maintain that it took the necessary steps to secure its network immediately after the initial detection. As the cases move toward potential class-action status, the courts will likely focus on whether the college's internal investigation timeline justified the long silence. For now, thousands of former and current members of the campus community are left to manage the long-term risks associated with the exposure of their most private information.

Source: Cyberattack At Trocaire College Exposed Sensitive Information To Hackers