RSS

My SSN was exposed in a breach at Columbia, a school I have no connection with

Bender1 pts0 comments

My SSN was exposed in a breach at Columbia—a school I have no connection with - Ars Technica

Skip to content

AI

Biz & IT

Cars

Culture

Gaming

Health

Policy

Science

Security

Space

Tech

Forum

Subscribe

Story text

Size

Small<br>Standard<br>Large

Width

Standard<br>Wide

Links

Standard<br>Orange

* Subscribers only

Learn more

Pin to story

Theme

Search

Sign In

Sign in dialog...

Text<br>settings

Story text

Size

Small<br>Standard<br>Large

Width

Standard<br>Wide

Links

Standard<br>Orange

* Subscribers only

Learn more

Minimize to nav

A weird text from my dad in February sent me on a months-long quest to solve a mystery that has been troubling an odd group of victims from a Columbia University data breach last year. That group? People with absolutely no connection to the school.

The text included a photo of a letter from Columbia, informing me that I was a victim of a data breach last June, one that exposed a wide range of sensitive information, including 1.8 million Social Security numbers.

Columbia’s public notices about the breach were addressed exclusively to “members of the Columbia community.” In the notices, Columbia warned that an “unauthorized party obtained information about students and applicants related to admissions, enrollment, and financial aid processes, as well as certain personal information associated with some Columbia employees.” Major news reports that followed only referenced people affiliated with Columbia as victims, while pointing out that the hacktivist behind the breach was reportedly motivated to expose Columbia’s history of “affirmative action-based” admissions.

But I don’t belong to the “Columbia community.” I have never applied for, attended, or worked for the school. And the letter sent to me—which arrived six months after the public notice—did not explain how Columbia obtained and exposed my SSN. All the letter said was that the breach affected “certain personal information about admissions, enrollment, and the financial aid process.” It directed me to sign up for free credit monitoring from Kroll Monitoring, a service Columbia hired to manage the hotline for victims.

It took a nightmare journey through Columbia’s victim support services before a Columbia official finally explained how decades of third-party data collection, combined with multiple unsuccessful data-removal initiatives, had led the school to warehouse data from so many unaffiliated people.

Did taking the SAT expose my SSN?

In my search for information, Kroll’s hotline felt like a dead end. The only option hotline staffers offered victims like me was to escalate the case, and if you called back, they would offer to re-escalate it. Supposedly, escalation would result in a callback with more information. When weeks passed without any follow-up, I tried a different route and contacted Columbia’s IT call center.

The call center responded immediately by email, and I was encouraged when I was told they were “actively looking into why your information was included among the affected data and will get back to you.” They asked for patience while they completed their review, but after a month without any response, I began to wonder whether there was a reason the support systems had no answers—and why Columbia wasn’t talking about unaffiliated victims in its public notices.

In April, I contacted Columbia’s communications office, hoping it could at least clarify whether there was any path for victims like me to get questions answered.

But even the comms team seemed evasive. After weeks of prodding, they offered only a theory: The school might have obtained my SSN back in 2001 when I was a high school junior taking the SAT. That explanation seemed plausible, they suggested, since the stolen data dated back decades. At that time, SSNs were commonly used as student identifiers. I was told that I had likely consented to sharing mine in order to receive admissions or scholarship information from Columbia.

But I had never shopped around for colleges and therefore wouldn’t have knowingly shared my personal information. I certainly never wanted to attend Columbia. I went to high school in Florida, where the state’s “Bright Futures” program covered full tuition for kids with good grades. My parents never talked about paying for school, so I had no idea how the process worked. I love a good deal, so I only applied to one school, and as a result, I sent my SAT scores to only one school: the University of Florida.

So I was skeptical of this theory, and I wasn’t alone. On social media and Reddit, I found dozens of posts from people similarly confused about why they received a breach notice. Some users deduced that their SSNs were likely shared when they took the SAT, the ACT, or the GRE, or possibly when filling out forms for financial aid, like the FAFSA. Others seemed to receive vague explanations from Columbia about testing programs that may have shared their SSNs, and like me, they assumed the College Board, which...

columbia school information breach from data

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.