Columbia University's data breach exposed Social Security numbers of 1.8 million people, including individuals with no connection to the school. The breach notification reached victims months after the public announcement, with some receiving letters mailed to outdated addresses. Columbia initially only acknowledged affected students, staff, and applicants, leaving many confused why they received breach notices.

The breach stemmed from Columbia's retention of legacy data containing SSNs collected before 2012, when the school stopped using them as student identifiers. Despite initiatives to remove sensitive information, the university inadvertently missed one database containing personal information. Testing programs like the College Board and ACT had shared SSNs with institutions prior to 2018, though neither organization confirmed Columbia received data through these channels.

Victims experienced a frustrating journey through Columbia's support systems, with many dead ends and vague explanations. The school now claims to have deleted the remaining SSNs and is accelerating efforts to identify any remaining sensitive data. Columbia has finally begun following up with victims who contacted their IT call center, though the exact source of some victims' data may never be pinpointed due to deleted reference fields.