Wednesday, July 1, 2026
English edition

Development

My SSN was exposed in a breach at Columbia—a school I have no connection with

June 4, 2026 Development Source: Ars Technica

My SSN was exposed in a breach at Columbia—a school I have no connection with

Share this article

The call center responded immediately by email, and I was encouraged when I was told they were “actively looking into why your information was included among the affected data and will get back to you.” They asked for patience while they completed their review, but after a month without any response, I began to wonder whether there was a reason the support systems had no answers—and why Columbia wasn’t talking about unaffiliated victims in its public notices. In April, I contacted Columbia’s communications office, hoping it could at least clarify whether there was any path for victims like me to get questions answered. But even the comms team seemed evasive. After weeks of prodding, they offered only a theory: The school might have obtained my SSN back in 2001 when I was a high school junior taking the SAT. That explanation seemed plausible, they suggested, since the stolen data dated back decades. At that time, SSNs were commonly used as student identifiers. I was told that I had likely consented to sharing mine in order to receive admissions or scholarship information from Columbia. I asked the College Board if this theory could be true. A spokesperson disputed that any student’s SSN would have been shared with Columbia via an opt-in program called “Student Search.” Prior to 2018, when SSNs stopped being shared entirely, the College Board confirmed that the “only circumstance” in which it would have shared my SSN was if I had requested that my SAT scores be sent to Columbia, something I never did. My frustration grew over four months of dead ends, until I had finally emailed Columbia enough times that it agreed to tell me what was really going on. Columbia had already faced criticism for taking about a week to notify victims of the breach, since each day without notice increases the risk of identity theft. But for victims with no connection to the school, notification took even longer because, as the university explained, it required more time to track down their contact information. I’m not sure when Columbia first attempted to contact me. The February letter mailed to my dad’s address—where I had not lived since graduating high school—claimed that Columbia had “previously disclosed” the breach to me, though it was my first notification. On Reddit, some users reported that they, too, had gotten notification letters mailed to their parents’ addresses. Others said Columbia managed to find their current addresses. In discussions with Ars, a university official said that prior to 2012, Columbia received prospective student information, including Social Security numbers, from a wide range of sources. During that period, student recruitment services, scholarship programs, and testing programs often shared SSNs with Columbia, presumably with students’ consent. A student might consent to share their SSN, the official said, to receive information about various schools or scholarship programs. Or they might directly request that a testing program share their SSN along with their scores. Ars reached out to the College Board and the ACT, which operate two major college testing programs, and confirmed that both stopped sharing SSNs as student identifiers. The College Board ended the practice in 2018, and ACT said it had stopped about a decade ago. Columbia discontinued its use of SSNs as student identifiers in 2012, the official told Ars. It had also intended to delete SSNs collected before the breach occurred. But despite completing initiatives to remove SSNs and other sensitive personal data from its systems, the official said Columbia inadvertently missed a legacy database containing my SSN. I’ve been assured that Columbia has since deleted my SSN from its system, and the school has reportedly accelerated its efforts to detect any other sensitive data still on its network. But I doubt the school will ever pinpoint the real source of my data, since the official also confirmed that some of the fields that would help identify data sources in cases like mine had been deleted. It’s unclear how many victims have no connection to Columbia or how many universities may be hoarding stores of sensitive data from the early days of SSN sharing. Columbia did not specify how many unaffiliated victims were affected, nor what portion of the exposed SSNs could be traced to people outside the Columbia community. When asked for an estimate, the official suggested that “the vast majority of notified individuals had a known affiliation with the university.” As early as 2005, Ars found that as online identity theft began to rise, the Social Security Administration started urging universities to stop using SSNs as student identifiers and to limit their collection of the numbers. Columbia’s case shows that some universities didn’t follow that guidance for years. On Reddit, users reported receiving notifications suggesting their SSNs were likely shared after they took college placement tests in the 1990s. “Didn’t they get this info on, like, a floppy disk?” one user asked. “Why would it have ever made its way into ‘the cloud’? Is that not the ultimate in gross negligence?” Another user responded, “Yes! I’ve wondered the same! I guess I bubbled in my SSN on my SAT. How the hell did it get into a Columbia data set in 2025??!!” A third wondered, “Why would my mid-’90s data ever have been uploaded *anywhere*?” Many users wondered whether they could join a proposed class action lawsuit alleging that Columbia “failed to prevent the data breach because it did not adhere to commonly accepted security standards and failed to detect that their databases were subject to a security breach.” Ars was unable to reach the case’s lead attorney to confirm whether victims unaffiliated with the school would be included if the class is certified. But while the named plaintiffs represent only people in the Columbia community, the proposed class definition suggests broader coverage, seeking to include “all persons whose PII was maintained on Defendant’s servers and compromised in the Data Breach.” Columbia is currently engaged in private mediation with plaintiffs in that suit, and its response isn’t due until August 10. That allows time for a potential settlement outside of court, though such an agreement may not directly address other legal questions about Columbia’s data retention. Congress could also intervene, Budington said, by passing legislation that allows a private right of action after data breaches, allowing victims to pursue cases directly instead of relying on state laws or waiting for state attorneys general to take up a case. Whether Columbia will ever face legal scrutiny over the unique missteps surrounding its old SSN database, however, remains unclear. “Certainly it seems like they should have removed that data on their own accordance,” Budington said. “And the fact that they apparently hadn’t and possibly didn’t even know where it was stored, it seems like there should be some kind of a consequence.” For victims who had nothing to do with Columbia and received extremely delayed notice of the breach, “the heightened risk of becoming victims of fraud is now permanent,” the proposed class action complaint alleges. In addition to credit monitoring, Budington recommended that victims take extra steps to secure their bank accounts and lock down any other online accounts where their SSN might be used for authentication. “The fact that they did nothing to remediate that situation over the course of 20 years or more is really indicting,” Budington said.