How a Columbia University breach exposed strangers' Social Security numbers

When a stranger’s name appears on a data breach notification, it raises more questions than answers. In February, a single text from my father—showing a breach notice from Columbia University—kicked off a months-long investigation that revealed how a cyberattack exposed the Social Security numbers of nearly two million people, many with no affiliation to the Ivy League institution.

A breach notice with no explanation

The letter from Columbia warned of a cyber incident in June 2025 that compromised sensitive data, including Social Security numbers. Yet the university’s public statements and subsequent media coverage focused exclusively on "members of the Columbia community," implying the breach primarily affected students, applicants, and employees. No mention was made of individuals outside these groups—until strangers like me began receiving notifications.

The discrepancy left victims searching for clarity. Columbia’s breach notices detailed exposure of admissions, enrollment, and financial aid records, alongside employee data. However, the hacker responsible, identified in later reports, claimed a different motive: targeting Columbia’s admissions policies tied to affirmative action. This raised further questions about who exactly was impacted and why unrelated individuals were notified.

Who was affected—and why weren’t they notified sooner?

Columbia’s breach affected 1.8 million people, a figure later confirmed by major outlets. While the university’s initial communications suggested the incident was confined to its community, the sheer scale of the exposure indicated otherwise. Victims included individuals who had interacted with third-party vendors, submitted applications through affiliated platforms, or even shared data in unrelated contexts that somehow intersected with Columbia’s systems.

The delay in notifying non-Columbia-affiliated victims highlights a recurring issue in cybersecurity: institutions often prioritize direct stakeholders in breach responses. Yet when data from external sources is compromised, the responsibility to alert those affected can become murky. Legal frameworks vary, but many jurisdictions now mandate timely notification—regardless of the victim’s connection to the breached entity.

Victims received notices months after the breach, leaving little time to mitigate risks like identity theft. For those outside Columbia’s ecosystem, the process of verifying the legitimacy of the notification added another layer of stress.

What victims can—and should—do next

If you received a breach notice from Columbia, take immediate steps to secure your identity. Start by checking your credit reports for unauthorized activity. Free reports are available annually from major credit bureaus, and monitoring services can provide real-time alerts.

• Freeze your credit: Contact Equifax, Experian, and TransUnion to place a security freeze. This prevents new accounts from being opened in your name without your consent.
• Monitor financial accounts: Review bank and credit card statements for suspicious transactions. Set up transaction alerts if your institution offers them.
• Update passwords: Even if your Columbia-related passwords weren’t compromised, use this as an opportunity to strengthen your digital security. Enable two-factor authentication wherever possible.

Columbia has not yet disclosed the full extent of the data accessed, but the inclusion of Social Security numbers suggests a high-risk scenario. While the university has pledged to support affected individuals, the burden of recovery often falls on the victims themselves.

A cautionary tale for data handling in higher education

This incident underscores the importance of transparency in breach responses. Institutions must recognize that data ecosystems are interconnected—third-party vendors, application platforms, and even historical records can expose unrelated individuals to risk. Clear communication, proactive notification, and robust cybersecurity practices are no longer optional but essential.

For those caught in this breach, the path forward involves vigilance and proactive steps. As institutions continue to face sophisticated cyber threats, the responsibility to protect personal data must extend beyond their immediate communities.