My SSN was exposed in a breach at Columbia—a school I have no connection with

A Columbia University data breach last June exposed sensitive information—including 1.8 million Social Security numbers—yet victims with no connection to the university were left in the dark. The breach, linked to a hacktivist allegedly targeting Columbia’s admissions practices, initially received public notices addressed only to “members of the Columbia community,” while media reports focused solely on affiliated individuals. The author received a late notification in February, six months after the breach, confirming their SSN was exposed but offering no explanation for how Columbia obtained it. The letter directed them to Kroll Monitoring, a service hired by Columbia to manage victim support, but the hotline provided no meaningful assistance, only escalation options that yielded no follow-up. After weeks of frustration, the author contacted Columbia’s IT call center, where an official finally revealed the breach resulted from decades of third-party data collection and failed data-removal initiatives. The university had accumulated records from unaffiliated individuals, including those who took the SAT or interacted with Columbia-affiliated services, without securely purging the information. Victims like the author faced bureaucratic hurdles, with Kroll’s hotline offering no resolution and Columbia’s support system requiring repeated escalations. The breach highlights systemic failures in data governance, leaving non-affiliated individuals vulnerable despite the university’s targeted breach communications. Columbia’s response to the breach has been criticized for its lack of transparency and support for affected parties outside its official community. The incident raises broader questions about institutional data practices and the risks of third-party data accumulation.