Columbia admits last year’s data breach exposed victims beyond its students, staff.
See full article...
See full article...
My SSN was exposed in a breach at Columbia—a school I have no connection with
- Thread starter JournalBot
- Start date
SSNs were driver’s license numbers in some states in the 90s still.
Every soldier going through basic training shouts their social every time they eat in a cafeteria or go through the gas chamber.
Where did we go wrong treating them like private information? They never have been.
Every soldier going through basic training shouts their social every time they eat in a cafeteria or go through the gas chamber.
Where did we go wrong treating them like private information? They never have been.
Upvote
283
(284
/
-1)
Georgia Tech informed me recently that my information was exposed. I applied to Georgia Tech for grad school more than thirty years ago! I decided on another school instead so other than my application, I had no affiliation with Georgia Tech.
This is getting out of hand. There need to be consequences for this beyond just notifying the victims. I'm getting breach notices like this every other month now.
This is getting out of hand. There need to be consequences for this beyond just notifying the victims. I'm getting breach notices like this every other month now.
Upvote
226
(226
/
0)
Upvote
24
(58
/
-34)
Yeah they missed out on the proceeds of the opium narco trade, thankfully beacons like Harvard and Yale picked up the slack and pumped out the likes of Bush and Cheney.
Upvote
74
(86
/
-12)
Don't forget to keep your credit frozen friends, could save you a ton of trouble in case of identity theft
Upvote
137
(137
/
0)
I'm sure universities want to keep alumni data around (though SSNs shouldn't be a part of that dataset), because they want to be constantly fundraising. So I expect them to digitize and hoard a bunch of information. That is probably why people who took SATs pre-digital revolution had their information digitized and stored somewhere - so it could be put into a marketing database.
Side note: I came across a company called Altrada yesterday, one of their sales pitches is they can work with universities and non-profits to comb donor/alumni data to find high net worth individuals and target them for donations. Creep factor MAX. They're tracking your net worth, and they say they have over 100M person profiles. How is that even legal?
Side note: I came across a company called Altrada yesterday, one of their sales pitches is they can work with universities and non-profits to comb donor/alumni data to find high net worth individuals and target them for donations. Creep factor MAX. They're tracking your net worth, and they say they have over 100M person profiles. How is that even legal?
Upvote
147
(147
/
0)
At this point I have no idea how many businesses, institutions, organizations, services, websites, and what-nots have various articles of personal identifiers and data about myself and who their sharing with. And that is only exacerbated by the numerous hacks, security breaches, leaks, data badly stored in the clear, and C.O.s who get their laptop with a lame password and the entire database stolen out of their car over the last two-to-three decades at least.
People are really bad at this, and it makes me wonder why and how the sky hasn't completely caved-in yet.
People are really bad at this, and it makes me wonder why and how the sky hasn't completely caved-in yet.
Upvote
52
(52
/
0)
Probably an old .mdb sitting thirty subfolders deep on the server. \\columbia\old\archive\archive_new\_REAL_ARCHIVE\pre2000\backup\ ...
Upvote
197
(197
/
0)
"hoarding"
An organization the size and age of Columbia will have far more data (paper and digital) that it knows what to do with, but it's data so they aren't eager to discard it. And they will probably have countless db tables sitting around whose contents are unknown to anyone. But IT can't just drop them - a rarely-run but vital process somewhere in the org could be using them. So the data sits there.
That's why there are tools out there to scan and summarize tables: they can tell you, roughly, what the tables contain by analyzing numeric patterns (ex to find SSNs) or doing semantic analysis on text columns. This assumes you can point the tools to the places the tables live. Which assumes you know where it all is.
And there are tools that can try to figure out where tables gets used and put into other tables (database "lineage"). But these require that code which accesses the tables be kept somewhere that the tools can find and read it. And this might not be the case if a table is only accessed by a decades-old script that resides on a PC sitting in the corner of an obscure admin's office.
So, data lingers. Columbia really might not have even known it had this SSN data.
An organization the size and age of Columbia will have far more data (paper and digital) that it knows what to do with, but it's data so they aren't eager to discard it. And they will probably have countless db tables sitting around whose contents are unknown to anyone. But IT can't just drop them - a rarely-run but vital process somewhere in the org could be using them. So the data sits there.
That's why there are tools out there to scan and summarize tables: they can tell you, roughly, what the tables contain by analyzing numeric patterns (ex to find SSNs) or doing semantic analysis on text columns. This assumes you can point the tools to the places the tables live. Which assumes you know where it all is.
And there are tools that can try to figure out where tables gets used and put into other tables (database "lineage"). But these require that code which accesses the tables be kept somewhere that the tools can find and read it. And this might not be the case if a table is only accessed by a decades-old script that resides on a PC sitting in the corner of an obscure admin's office.
So, data lingers. Columbia really might not have even known it had this SSN data.
Last edited:
Upvote
118
(118
/
0)
When I started my current job (working with HR/recruitment systems), I was kinda annoyed that someone decided that all the recruitment data from pre-2023 should be wiped. That's some great analytics gone!
These days, I thank that person daily. Saying "nope, deleted" simply answers every question. That data has never been useful. I'm tempted to just wipe the database every 12 months.
These days, I thank that person daily. Saying "nope, deleted" simply answers every question. That data has never been useful. I'm tempted to just wipe the database every 12 months.
Upvote
136
(136
/
0)
Yeah at this point doing the right thing is impossible and places need to protect social security ID numbers. But the real blame here should fall on the people who’ve decided to use these identification numbers as authentication information. All of the chaos resulting from the public exposure of these former public numbers should be laid at their feet.
I continue to believe my ID is probably public information, somewhere out there on the internet, and anyone who doesn’t do the due-diligence of checking whether the person providing it is actually me, is probably able to get scammed. Practically, I protect it, because credit agencies try (sometimes successfully) to make their incompetence your problem.
Upvote
84
(84
/
0)
I'm in the same boat as Ms Belanger -- I received a breach notification from Columbia by mail in early February, but have no obvious connection (enrolled or employed), so I was like "whuh?" That the root cause is SAT results or applications, from the early 1990s, sounds plausible -- I may still have a relevant record in my deep hardcopy archives that would confirm the hypothesis.
Re: traces, I occasionally get breach notices from unfamiliar entities who, upon investigation, do have an connection, but it's via a subcontractor or they've been renamed three times. FWIW, as advised by @Spaghettified above, I have frozen my credit reports (and those of my parents) as a best-practices precautionary measure.
Re: traces, I occasionally get breach notices from unfamiliar entities who, upon investigation, do have an connection, but it's via a subcontractor or they've been renamed three times. FWIW, as advised by @Spaghettified above, I have frozen my credit reports (and those of my parents) as a best-practices precautionary measure.
Upvote
35
(35
/
0)
I feel like the College Board, a for profit company that runs a critical component of this country’s educational pipeline, shouldn’t be selling minor data including (or not) SSNs.
Upvote
62
(62
/
0)
At this point, I just assume my SSN is out there and have placed a freeze on my credit...
Upvote
39
(39
/
0)
I've done some contracted work with some major universities. This is exactly my experience. Universities, even worse than corporations, are perfect examples of the "we have a written policy somewhere, but most of the rank-and-file staff not only don't follow it, they don't even know it exists" situation. Universities are giant piles of bureaucracy. The only "policies" that are followed are the ones that come up every day. Anything more obscure might as well not exist and is completely ad hoc in the day-to-day.
Data retention? Purging of backups? Please. Those policies are on paper in a three-ring binder somewhere, piled in cardboard printer paper boxes stored ten layers deep in a closet nobody uses.
Last edited:
Upvote
70
(71
/
-1)
So, new signature coming soon?
ASHLEY BELANGER, Senior Policy Reporter, Honorary Ph.D. in Data Security from Columbia
Probably better than a fraction of a class action settlement.
ASHLEY BELANGER, Senior Policy Reporter, Honorary Ph.D. in Data Security from Columbia
Probably better than a fraction of a class action settlement.
Upvote
83
(83
/
0)
At some point we really need to let go of thinking SSNs are private data. Raise your hand if you think your SSN is NOT in the Equifax and National Public Data torrents.
Upvote
45
(45
/
0)
I remember one high school teacher in the very early 1990s put up a large sheet on the classroom wall, listing everyone's name, Social Security number, and semester grade. Schools never handled privacy well, at least in America.
Upvote
20
(21
/
-1)
This was a bit of a flash back... my first data breach notification came from the library from my school. Of course, there have been many since...
Upvote
12
(12
/
0)
That's why EU GDPR requires any personal data stored or processed to document a purpose for that storage.
Because otherwise something like this happens. My guess is that someone followed the 'best-practice' of using the SSN as primary key for all persons (despite all protestations that it is neither unique nor constant). And then everything was brought in a nice canonical form with a table for mapping SSN to names and back, SSN to address, and so on. And whenever they got any data for any purpose they added it to the tables (you want to avoid duplication after all). With no way to ever delete data of course, because you never know where else you have a table only referencing this via SSN that still has a valid use case....
Because otherwise something like this happens. My guess is that someone followed the 'best-practice' of using the SSN as primary key for all persons (despite all protestations that it is neither unique nor constant). And then everything was brought in a nice canonical form with a table for mapping SSN to names and back, SSN to address, and so on. And whenever they got any data for any purpose they added it to the tables (you want to avoid duplication after all). With no way to ever delete data of course, because you never know where else you have a table only referencing this via SSN that still has a valid use case....
Upvote
37
(37
/
0)
Are we feeling a bit defensive because Columbia was the first to kneel and kiss Trump's ring? And it is notorious for the low ROI and revenue-generation focus of its master's degree programs? Also, both of those guys are from Yale, which was built on slavery and cotton gin money.
Upvote
-18
(8
/
-26)
We're now at a point were data security laws are a necessity. The EU's laws regarding PII (Personally Identifiable Information) might not be perfect but they're lightyears ahead of the situation in the US which is essentially a wild west for information security.
Upvote
52
(52
/
0)
Welp, I have a view behind the scenes. Columbia has hit the OIG's radar several times in recent years. I think at some point there is going to be a dead reckoning on research eligibility. As is, the nation mostly (for various definitions of mostly) go with an opt-out model. Your medical data is being whisked all over the place without your explicit consent. Data stewardship runs into a falsely claimed omnicompetent person called a Principal Investigator, who nine times out of ten is extremely incompetent technically. Sleep tight.
Upvote
20
(20
/
0)
The funny thing is, the original promise was that social security numbers would ONLY be used for social security, never used for pure identification. Now, it's used for pretty much everything, and even companies are using it. That's the sort of cautionary tale we need to remember when they claim that RealID is ONLY being used for crossing the border. Combined with "age" verification laws, it doesn't take much to tie someone's entire online profile to one of these things for easy perusal.
Upvote
35
(40
/
-5)
Unless there's actual liability associated with any of this, deleting/purging data simply won't be a priority for most organizations.
Sure, there's incentive to keep it; as others pointed out, universities can follow up with alums and potential donors. But in situations like the one in this article, that's not the motivation because this isn't an alum or potential donor. The author's data was just... part of heaps of data, sourced at some point for some reason, aggregated in various ways across various systems over years and decades, and just left there.
With a very few exceptions, deleting old data isn't a priority. It's the kind of task everyone agrees is important in the abstract, but it's never today's priority. It's seen as a potential long-term risk, but organizations typically prioritize working on short-term or mid-term opportunities and immediate risks instead. And there's always enough of those to keep everyone busy, unless your organization is unusually well-staffed or unusually risk-aware.
When I worked in banking, we were decent about keeping documentation for a set period of time and then destroying it. (Why? Because the risk of doing otherwise was clear: properly purged data can't be audited, and you can't be faulted for not having it either.) But as more data is moved to cloud or computerized storage, I'm guessing even financial or other risk-aware sectors struggle with this. Purging data now requires more technical know-how than someone with a calendar, a good eye for detail, and a shred-it bin. And it's hard to get management to agree that worker time should be spent on something that isn't making money.
Sure, there's incentive to keep it; as others pointed out, universities can follow up with alums and potential donors. But in situations like the one in this article, that's not the motivation because this isn't an alum or potential donor. The author's data was just... part of heaps of data, sourced at some point for some reason, aggregated in various ways across various systems over years and decades, and just left there.
With a very few exceptions, deleting old data isn't a priority. It's the kind of task everyone agrees is important in the abstract, but it's never today's priority. It's seen as a potential long-term risk, but organizations typically prioritize working on short-term or mid-term opportunities and immediate risks instead. And there's always enough of those to keep everyone busy, unless your organization is unusually well-staffed or unusually risk-aware.
When I worked in banking, we were decent about keeping documentation for a set period of time and then destroying it. (Why? Because the risk of doing otherwise was clear: properly purged data can't be audited, and you can't be faulted for not having it either.) But as more data is moved to cloud or computerized storage, I'm guessing even financial or other risk-aware sectors struggle with this. Purging data now requires more technical know-how than someone with a calendar, a good eye for detail, and a shred-it bin. And it's hard to get management to agree that worker time should be spent on something that isn't making money.
Upvote
34
(34
/
0)
Bad news for you.
You can, with a credit card, right now, with just being Joe Public....fork over about $5,000USD and get the entire data file for my entire state, with a year of updates. That file includes not only your personal worth, your physicall address, your phone, your credit score, your home equity, your education, your employer, your schooling....about 300 data fields. For every person in my State.
And you can get my entire state's worth for less than a used car. And that has been going on--for years.
And yes, I priced it out...because of a project at work.
Upvote
48
(48
/
0)
Yep, mine too! Even in the early 90's I never liked that on my ID. Blank staff looks when I complained about it...
Upvote
7
(8
/
-1)
Very possible. I worked at a place (now gone) where I discovered years prior the HR department had contracted some consulting company to build a basic HR system. The consulting company had hosted it unprotected on the open internet (you could connect to the mysql database from anywhere).
The system had long been abandoned (they migrated to Oracle's EBS HR module several years before this was discovered), but there was one piece that had never been migrated that HR continued to use (a story in of itself, a bit of automation using tcl(!)), and no one realized that database was still out there with everyone's SSN (among other things) that had worked there at the time the system had been used.
We very quickly get them to turn that off and destroy the database.
Upvote
18
(18
/
0)
Its so cool that this is a thing organizations in America can do with almost complete impunity like leaking data is a fundamental right.
Upvote
15
(15
/
0)
I mean, the fact of the matter is that SSNs were once used as student identifiers, so if you attended a school during the time that was a thing the school has to continue to store it if for no other reason than that former students may someday require transcripts because they seek to enroll in another school or are doing something that requires a deep background check, are applying for professional licensing, or other reasons.
The part that people have good reason to be upset about is how people who never attended (and apparently never even applied) have their data sitting around 20+ years later. There is no reason that information could not have been sanitized or dumped entirely.
(As an aside, I am mildly amused by the thought of people not realizing that data interchange of this kind was happening before the fully-fledged Internet existed. Credit bureaus have existed and exchanged data with creditors and other bureaus for most of a century at this point.)
The part that people have good reason to be upset about is how people who never attended (and apparently never even applied) have their data sitting around 20+ years later. There is no reason that information could not have been sanitized or dumped entirely.
(As an aside, I am mildly amused by the thought of people not realizing that data interchange of this kind was happening before the fully-fledged Internet existed. Credit bureaus have existed and exchanged data with creditors and other bureaus for most of a century at this point.)
Upvote
18
(18
/
0)
RealID is just a stamp on your state ID showing that the state met some minimum standard in verifying your identity. What is it you think RealID could be “used for” that you’re so worried about?
Upvote
22
(23
/
-1)
Upvote
5
(7
/
-2)