Kroll and Columbia University: My SSN was exposed in a breach at Columbia—a school I have no connection with

Kroll and Columbia University: My SSN was exposed in a breach at Columbia—a school I have no connection with

Columbia University Data Breach Exposes Unaffiliated Individuals’ Sensitive Data

In February, a puzzling text from a family member led to the discovery of a months-long data breach mystery involving Columbia University one that affected individuals with no apparent ties to the institution. The text included a letter from Columbia, dated six months after the initial public notice, informing the recipient that their Social Security number (SSN) and other sensitive data had been exposed in a June 2023 breach.

Columbia’s initial breach notifications, issued last year, were directed solely at "members of the Columbia community," warning of unauthorized access to admissions, enrollment, financial aid, and employee records. Major media reports echoed this, framing the incident as limited to students, applicants, and staff, while noting that the hacktivist behind the attack claimed motivation tied to Columbia’s admissions policies.

However, the breach extended far beyond the university’s direct affiliates. The recipient a non-student, non-employee with no prior connection to Columbia received no explanation in the letter about how their data was obtained or exposed. The only remedy offered was enrollment in free credit monitoring via Kroll, the third-party firm hired to manage victim support.

After repeated attempts to seek clarity through Kroll’s hotline where escalations yielded no follow-up a Columbia IT representative eventually revealed the cause: decades of third-party data collection, combined with failed data-removal efforts, had left the university holding sensitive information on individuals with no formal affiliation. The source of the exposed data, including SSNs, may trace back to standardized testing (such as the SAT) or other external partnerships, though Columbia has not provided a full account of its data retention practices.

The breach underscores the risks of unchecked data aggregation by institutions, even for those with no direct relationship to the entity holding their information. As of now, the full scope of affected unaffiliated individuals remains unclear.

Source: https://arstechnica.com/tech-policy/2026/06/my-ssn-was-exposed-in-a-breach-at-columbia-a-school-i-have-no-connection-with/

Kroll Cyber and Data Resilience cybersecurity rating report: https://www.rankiteo.com/company/kroll-cyber

Columbia University cybersecurity rating report: https://www.rankiteo.com/company/columbia-university

"id": "KROCOL1780583387",
"linkid": "kroll-cyber, columbia-university",
"type": "Breach",
"date": "6/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"
{'affected_entities': [{'customers_affected': 'Students, applicants, staff, '
                                              'and unaffiliated individuals',
                        'industry': 'Education',
                        'location': 'New York, USA',
                        'name': 'Columbia University',
                        'type': 'Educational Institution'}],
 'customer_advisories': 'Free credit monitoring via Kroll offered to affected '
                        'individuals',
 'data_breach': {'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Social Security numbers, '
                                             'admissions records, enrollment '
                                             'records, financial aid records, '
                                             'employee records'},
 'date_detected': '2023-06',
 'date_publicly_disclosed': '2023-06',
 'description': 'In February, a data breach at Columbia University was '
                'discovered to have exposed sensitive data, including Social '
                'Security numbers, of individuals with no apparent ties to the '
                'institution. The breach, initially reported in June 2023, was '
                'framed as affecting only members of the Columbia community, '
                'but later revelations showed it impacted unaffiliated '
                'individuals due to decades of third-party data collection and '
                'failed data-removal efforts.',
 'impact': {'brand_reputation_impact': 'Yes',
            'data_compromised': 'Social Security numbers, admissions, '
                                'enrollment, financial aid, and employee '
                                'records',
            'identity_theft_risk': 'Yes'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'The breach underscores the risks of unchecked data '
                    'aggregation by institutions, even for individuals with no '
                    'direct relationship to the entity holding their '
                    'information.',
 'motivation': 'Tied to Columbia’s admissions policies',
 'post_incident_analysis': {'root_causes': 'Decades of third-party data '
                                           'collection combined with failed '
                                           'data-removal efforts'},
 'references': [{'source': 'Columbia University breach notifications'}],
 'response': {'communication_strategy': 'Initial notifications limited to '
                                        "'members of the Columbia community'; "
                                        'later expanded to unaffiliated '
                                        'individuals',
              'third_party_assistance': 'Kroll (credit monitoring)'},
 'threat_actor': 'Hacktivist',
 'title': 'Columbia University Data Breach Exposes Unaffiliated Individuals’ '
          'Sensitive Data',
 'type': 'Data Breach'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.