My SSN was exposed in a breach at Columbia—a school I have no connection with - Ars Technica

Overview

My SSN was exposed in a breach at Columbia—a school I have no connection withvar abtest_2157395 = new ABTest(2157395, 'click');

Columbia admits last year’s data breach exposed victims beyond its students, staff.

Details

A weird text from my dad in February sent me on a months-long quest to solve a mystery that has been troubling an odd group of victims from a Columbia University data breach last year. That group? People with absolutely no connection to the school.

The text included a photo of a letter from Columbia, informing me that I was a victim of a data breach last June, one that exposed a wide range of sensitive information, including 1.8 million Social Security numbers.

Columbia’s public notices about the breach were addressed exclusively to “members of the Columbia community.” In the notices, Columbia warned that an “unauthorized party obtained information about students and applicants related to admissions, enrollment, and financial aid processes, as well as certain personal information associated with some Columbia employees.” Major news reports that followed only referenced people affiliated with Columbia as victims, while pointing out that the hacktivist behind the breach was reportedly motivated to expose Columbia’s history of “affirmative action-based” admissions.

It took a nightmare journey through Columbia’s victim support services before a Columbia official finally explained how decades of third-party data collection, combined with multiple unsuccessful data-removal initiatives, had led the school to warehouse data from so many unaffiliated people.

In my search for information, Kroll’s hotline felt like a dead end. The only option hotline staffers offered victims like me was to escalate the case, and if you called back, they would offer to re-escalate it. Supposedly, escalation would result in a callback with more information. When weeks passed without any follow-up, I tried a different route and contacted Columbia’s IT call center.

The call center responded immediately by email, and I was encouraged when I was told they were “actively looking into why your information was included among the affected data and will get back to you.” They asked for patience while they completed their review, but after a month without any response, I began to wonder whether there was a reason the support systems had no answers—and why Columbia wasn’t talking about unaffiliated victims in its public notices.

In April, I contacted Columbia’s communications office, hoping it could at least clarify whether there was any path for victims like me to get questions answered.

But even the comms team seemed evasive. After weeks of prodding, they offered only a theory: The school might have obtained my SSN back in 2001 when I was a high school junior taking the SAT. That explanation seemed plausible, they suggested, since the stolen data dated back decades. At that time, SSNs were commonly used as student identifiers. I was told that I had likely consented to sharing mine in order to receive admissions or scholarship information from Columbia.

But I had never shopped around for colleges and therefore wouldn’t have knowingly shared my personal information. I certainly never wanted to attend Columbia. I went to high school in Florida, where the state’s “Bright Futures” program covered full tuition for kids with good grades. My parents never talked about paying for school, so I had no idea how the process worked. I love a good deal, so I only applied to one school, and as a result, I sent my SAT scores to only one school: the University of Florida.

So I was skeptical of this theory, and I wasn’t alone. On social media and Reddit, I found dozens of posts from people similarly confused about why they received a breach notice. Some users deduced that their SSNs were likely shared when they took the SAT, the ACT, or the GRE, or possibly when filling out forms for financial aid, like the FAFSA. Others seemed to receive vague explanations from Columbia about testing programs that may have shared their SSNs, and like me, they assumed the College Board, which manages the SAT, had provided that data.

I asked the College Board if this theory could be true. A spokesperson disputed that any student’s SSN would have been shared with Columbia via an opt-in program called “Student Search.” Prior to 2018, when SSNs stopped being shared entirely, the College Board confirmed that the “only circumstance” in which it would have shared my SSN was if I had requested that my SAT scores be sent to Columbia, something I never did.

My frustration grew over four months of dead ends, until I had finally emailed Columbia enough times that it agreed to tell me what was really going on.

Columbia had already faced criticism for taking about a week to notify victims of the breach, since each day without notice increases the risk of identity theft. But for victims with no connection to the school, notification took even longer because, as the university explained, it required more time to track down their contact information.

I’m not sure when Columbia first attempted to contact me. The February letter mailed to my dad’s address—where I had not lived since graduating high school—claimed that Columbia had “previously disclosed” the breach to me, though it was my first notification. On Reddit, some users reported that they, too, had gotten notification letters mailed to their parents’ addresses. Others said Columbia managed to find their current addresses.

In discussions with Ars, a university official said that prior to 2012, Columbia received prospective student information, including Social Security numbers, from a wide range of sources. During that period, student recruitment services, scholarship programs, and testing programs often shared SSNs with Columbia, presumably with students’ consent.

A student might consent to share their SSN, the official said, to receive information about various schools or scholarship programs. Or they might directly request that a testing program share their SSN along with their scores. Ars reached out to the College Board and the ACT, which operate two major college testing programs, and confirmed that both stopped sharing SSNs as student identifiers. The College Board ended the practice in 2018, and ACT said it had stopped about a decade ago.

Columbia discontinued its use of SSNs as student identifiers in 2012, the official told Ars. It had also intended to delete SSNs collected before the breach occurred. But despite completing initiatives to remove SSNs and other sensitive personal data from its systems, the official said Columbia inadvertently missed a legacy database containing my SSN.

I’ve been assured that Columbia has since deleted my SSN from its system, and the school has reportedly accelerated its efforts to detect any other sensitive data still on its network. But I doubt the school will ever pinpoint the real source of my data, since the official also confirmed that some of the fields that would help identify data sources in cases like mine had been deleted.

As I now understand it, Columbia’s IT department has been working for months to identify any remaining data to respond to victims’ questions.

And this week, Columbia will finally start following up with victims who reached out to either Kroll or Columbia’s IT call center with questions about their data. Those two resources are still the recommended paths for unaffiliated victims seeking answers, Columbia’s official confirmed.

It’s also possible that some victims in this group may never have received notices. After Ars’ pressing, Columbia confirmed that it would publicly acknowledge this group of victims unaffiliated with the university for the first time in a blog post, which was published on Wednesday. The university also provided Ars with a lengthy statement addressing these victims, saying:

Columbia has been investigating questions raised by individuals with no known connection to the University about how their information came to be in our systems. Based on our examination, we believe that this information came to us through student recruitment services that, at the time, provided this type of information to colleges and universities from students who indicated they wanted to share it, whether to report a test score or to request further information about specific colleges, universities, or scholarship programs. Investigations of this nature are complex and, unfortunately, take time. The University notified impacted individuals as soon as it was able to identify contact information. We are in the process of responding to individuals, including those with no apparent connection to the University, who have reached out with additional questions about the notification they received.

Columbia has been investigating questions raised by individuals with no known connection to the University about how their information came to be in our systems. Based on our examination, we believe that this information came to us through student recruitment services that, at the time, provided this type of information to colleges and universities from students who indicated they wanted to share it, whether to report a test score or to request further information about specific colleges, universities, or scholarship programs.

Investigations of this nature are complex and, unfortunately, take time. The University notified impacted individuals as soon as it was able to identify contact information. We are in the process of responding to individuals, including those with no apparent connection to the University, who have reached out with additional questions about the notification they received.

It took about four months to learn that Columbia will likely never be able to determine how it got my SSN.

It’s unclear how many victims have no connection to Columbia or how many universities may be hoarding stores of sensitive data from the early days of SSN sharing. Columbia did not specify how many unaffiliated victims were affected, nor what portion of the exposed SSNs could be traced to people outside the Columbia community. When asked for an estimate, the official suggested that “the vast majority of notified individuals had a known affiliation with the university.”

As early as 2005, Ars found that as online identity theft began to rise, the Social Security Administration started urging universities to stop using SSNs as student identifiers and to limit their collection of the numbers. Columbia’s case shows that some universities didn’t follow that guidance for years. On Reddit, users reported receiving notifications suggesting their SSNs were likely shared after they took college placement tests in the 1990s.

“Didn’t they get this info on, like, a floppy disk?” one user asked. “Why would it have ever made its way into ‘the cloud’? Is that not the ultimate in gross negligence?”

Another user responded, “Yes! I’ve wondered the same! I guess I bubbled in my SSN on my SAT. How the hell did it get into a Columbia data set in 2025??!!”

A third wondered, “Why would my mid-’90s data ever have been uploaded anywhere?”

Many users wondered whether they could join a proposed class action lawsuit alleging that Columbia “failed to prevent the data breach because it did not adhere to commonly accepted security standards and failed to detect that their databases were subject to a security breach.”

Ars was unable to reach the case’s lead attorney to confirm whether victims unaffiliated with the school would be included if the class is certified. But while the named plaintiffs represent only people in the Columbia community, the proposed class definition suggests broader coverage, seeking to include “all persons whose PII was maintained on Defendant’s servers and compromised in the Data Breach.”

Columbia is currently engaged in private mediation with plaintiffs in that suit, and its response isn’t due until August 10. That allows time for a potential settlement outside of court, though such an agreement may not directly address other legal questions about Columbia’s data retention.

Hoarding SSNs for 20 years is “really indicting”

Educational institutions and ed tech companies remain attractive targets for hackers, since schools and firms inevitably store vast amounts of sensitive data.

Columbia’s incident last year was not the largest to rock the education sector. A breach at Power School, which provides K–12 education software, compromised sensitive data belonging to over 60 million students, the nonprofit Electronic Frontier Foundation noted in its annual “Breachies” awards, which recognize the weirdest and most impactful data breaches. But while Columbia’s breach exposed far fewer students’ data, the school still made EFF’s “(dis)honorable mentions” list. Critics blasted the school for holding sensitive records on its own staff and students indefinitely, but nobody knew the school was holding onto even more data.

Bill Budington, a senior staff technologist at EFF, told Ars that it’s unusual that Columbia did not indicate in any public notice that some victims had no connection to the university. That omission stood out, he suggested, because Columbia “has some prestige, some trust that’s imbued in them.”

“It was clear that this was improperly stored data that then, given enough time, inevitably becomes a subject of a data breach,” Budington said. “And that’s something they should… take care to protect, even especially because it includes people that weren’t even affiliated with Columbia, didn’t even place their trust in Columbia in the first place.”

I asked Budington if anything could be done to stop other universities from hoarding historical SSN data in vulnerable online systems. He suggested that a more active Federal Trade Commission might investigate the data retention as an unfair and deceptive business practice.

Congress could also intervene, Budington said, by passing legislation that allows a private right of action after data breaches, allowing victims to pursue cases directly instead of relying on state laws or waiting for state attorneys general to take up a case. Whether Columbia will ever face legal scrutiny over the unique missteps surrounding its old SSN database, however, remains unclear.

“Certainly it seems like they should have removed that data on their own accordance,” Budington said. “And the fact that they apparently hadn’t and possibly didn’t even know where it was stored, it seems like there should be some kind of a consequence.”

For victims who had nothing to do with Columbia and received extremely delayed notice of the breach, “the heightened risk of becoming victims of fraud is now permanent,” the proposed class action complaint alleges. In addition to credit monitoring, Budington recommended that victims take extra steps to secure their bank accounts and lock down any other online accounts where their SSN might be used for authentication.

“The fact that they did nothing to remediate that situation over the course of 20 years or more is really indicting,” Budington said.

1.          How long will it take to rebuild Blue Origin's launch pad? We asked some Space X vets.
   

2.          Google's new Gemma 4 12B model is designed to run on any laptop with 16GB of RAM
   

3.          Feds failing in bid to take a supercomputer from a climate research center
   

4.          Beans use an immune receptor to call in airstrikes on caterpillars
   

5.          Flesh-eating screwworm infection confirmed in South Texas, USDA says
   

Ars Technica has been separating the signal from the noise for over 25 years. With our unique combination of technical savvy and wide-ranging interest in the technological arts and sciences, Ars is the trusted source in a sea of information. After all, you don’t need to know everything, only what’s important.

Key Takeaways

• My SSN was exposed in a breach at Columbia—a school I have no connection withvar abtest_2157395 = new ABTest(2157395, 'click');

• Columbia admits last year’s data breach exposed victims beyond its students, staff

• A weird text from my dad in February sent me on a months-long quest to solve a mystery that has been troubling an odd group of victims from a Columbia University data breach last year

• The text included a photo of a letter from Columbia, informing me that I was a victim of a data breach last June, one that exposed a wide range of sensitive information, including 1

• Columbia’s public notices about the breach were addressed exclusively to “members of the Columbia community