My SSN was exposed in a breach at Columbia—a school I have no connection with
A dad's random text message in February unraveled something that should outrage anyone who has ever had their data compromised by an institution: Columbia University knew it exposed nearly two million Social Security numbers to hackers, then spent months telling only its own "community" while millions of strangers—people who never applied, never enrolled, never worked there—were left completely in the dark about their exposure.
Analysis
A dad's random text message in February unraveled something that should outrage anyone who has ever had their data compromised by an institution: Columbia University knew it exposed nearly two million Social Security numbers to hackers, then spent months telling only its own "community" while millions of strangers—people who never applied, never enrolled, never worked there—were left completely in the dark about their exposure.
Let that satisfying irony settle for a moment. A university celebrated for its elite intellectual rigor couldn't manage the basic moral calculus of telling people when it had burned their most sensitive information to the ground.
The breach itself happened last June. Hackers—apparently motivated by Columbia's history of affirmative action-based admissions—extracted a staggering trove of data: Social Security numbers, financial aid records, admissions details, employee information. This wasn't some minor metadata leak. This was the kind of breach that can dismantle a person's financial life for years. And according to the letter that Columbia did eventually send out, 1.8 million Social Security numbers were compromised. Eighteen hundred thousand. That's not a typo. That's not a rounding error. That's a small city's worth of identities, handed over to actors with explicitly political motivations.
Here's the part that should make every tech executive, every university administrator, every government official squirm: a significant number of those victims have absolutely no connection to Columbia University. None. They didn't attend. They didn't apply. They have no alumni ties, no employment history, no summer program enrollment. They are strangers to the institution entirely, and yet their most intimate data sat inside Columbia's systems long enough to be exfiltrated by someone who clearly wasn't supposed to have it.
How did Columbia handle this catastrophe? With a communication strategy that would make a PR crisis consultant blush. The university's public notices were addressed exclusively to "members of the Columbia community." Official statements warned about exposure to "students and applicants related to admissions, enrollment, and financial aid processes, as well as certain personal information associated with some Columbia employees." Not a word about the millions of external victims. Not a single acknowledgment that the breach extended beyond the campus walls.
Major news outlets amplified this framing without questioning it. Every headline, every report referenced Columbia affiliates. The hacktivist's motive—exposing affirmative action practices—was covered extensively, almost theatrically, as if the political dimension of the attack somehow made the institutional negligence less relevant. But the real scandal wasn't the hacker's ideology. The real scandal was Columbia's decision, whether conscious or merely negligent, to treat this as a community issue rather than a public one.
Think about what this means practically. If you're one of those external victims, your Social Security number is now in the hands of people who used a university breach to make a political statement. You never consented to your data being stored by Columbia. You never had a relationship with the institution. You might not even know your information was there. And when the breach became public, Columbia didn't tell you. They told their own people. The rest of you? You had to learn about it because a father happened to forward his kid a photo of a letter.
This raises uncomfortable questions about data hoarding practices across higher education and beyond. Why did Columbia have the Social Security numbers of people who had no affiliation with the school? Were these applicants who were rejected decades ago? Parents listed on financial aid documents? Third-party vendors? Medical patients treated at university hospitals? The lack of transparency here is deafening. Columbia hasn't explained why so many external identities were in their systems, and regulators haven't forced them to.
The notification failure is equally damning. Most states have data breach notification laws that require institutions to inform affected individuals within a specific timeframe. If Columbia's breach included millions of non-affiliated people, those individuals were entitled to direct notification. By limiting its communications to the "Columbia community," the university may have violated those laws. Or it may have simply calculated that external victims were less likely to notice, less likely to complain, and therefore less likely to generate legal liability. Either interpretation is corrosive.
What's happening right now, in quiet offices and inboxes across the country, is that people are slowly discovering they were exposed. Some are finding out through credit monitoring alerts. Others are learning through the same accidental channels that tipped off the original writer of this story. And many, many more have no idea yet. They're walking around with compromised identities, trusting a system that already failed them once.
This is the dirty secret of the data economy. Institutions collect vast amounts of personal information—often far more than they need, often from people who have no direct relationship with them—and when that information is breached, the institution gets to control the narrative. Columbia framed this as a community issue. They used language designed to reassure their own stakeholders while leaving millions of others to fend for themselves. The media largely accepted this framing. And the people most affected are the ones who were least likely to be told.
There's a word for this kind of institutional behavior, and it isn't negligence. It's cowardice. Columbia knew the scope of this breach. The numbers alone—1.8 million Social Security numbers—should have triggered a response proportional to the damage. Instead, they chose the narrowest possible interpretation of their responsibility and hoped nobody would notice.
Someone noticed. A dad, a random text, a letter that shouldn't have existed in the first place. That's how this story broke—not through corporate transparency, not through regulatory enforcement, but through the accidental diligence of a family member who happened to be paying attention.
The next chapter of this story should involve serious legal consequences for Columbia's notification practices. It should involve investigations into why so much external data was being stored and protected so poorly. And it should prompt every organization that hoards personal information to reckon with a simple question: if your systems are breached, will you tell everyone affected, or just the people whose loyalty you're trying to preserve?
Columbia's answer, so far, has been damning. And the millions of invisible victims at the center of this breach deserve a lot better than what they've gotten.
Disclaimer: The above content is generated by AI and is for reference only.