My SSN was exposed in a breach at Columbia—a school I have no connection with

Columbia admits last year’s data breach exposed victims beyond its students, staff.

See full article...

 

[flerchin]

Congratulations you get (more) free credit monitoring.

 

[johnsonwax]

I too received this notice from Columbia U. I am over 70 years old, from the midwest, and have never had any association with them. I took my SAT in 1969.

I have never sent Columbia a letter, an email, or other form of communication.

I have never set foot on the campus. I have never visited their website.

So, why do they have my personal information?

I also did a lot of work around document retention in my career and we made it part of our culture that document retention policies weren't just minimums but also maximums and also everything needed a policy. Part of the reason for maximums is that is protects you in the case of lawsuits - you don't need to turn over records you no longer have, and so long as you are implementing your policies consistently (and not an hour after you get a subpoena) you are free and clear of a lot of issues.

I would built a lot of that into the database schema itself and have specific tools to address records when they hit retention date. Generally those records would be anonymized, stripped of their identifying information and put into a different system so they could still be used for longitudinal studies, but nobody needs a street address, a phone number, a name, a SSN for that kind of thing.

Within 5 years of you taking the SAT there was no situation where Columbia would seek to recruit you as a student so at the very least that data should have been anonymized and I honestly can't think of a reason to keep it at all.

 

[johnsonwax]

I was still used for student IDs back in the late 90s too.

Depends on the state. The inflection point for that was 1974 when FERPA passed. The same year, the Patty Hearst situation happened which involved reporters getting personal information from UC Berkeley, and California and UC added additional controls on top of FERPA.

In states where only FERPA governed student records, they tended to be late in changing that (and still are in a lot of cases related to parental access to student records). In states like CA where state law and system policy came into play, things changed faster.

There are lots of federal laws which go mostly unenforced. Universities are required to disclose educational costs to students prior to enrolling in courses - lab fees, required materials or equipment, etc. This was enacted to address the problem of for-profit colleges charging low fees but requiring 'educational packets' once you were past the refund deadline which is where they made their money. Most universities are out of compliance with that law to some degree.

 

[breze]

It is, but the business claims it really is you and not a scammer. You're stuck trying to prove it was identify theft. The business doesn't care who's left holding the bag and you're easy to find.

I mean, yeah, practically they are able to cause you a problem. Anyone with enough money to hire lawyers can.

But on the other hand, I gave a guy who said he was alansh42 a car, why won’t you pay me for it? It’s about as much justification as these companies have.

 

[Griking]

Create an entirely new SS Number database. Everyone gets a new one.

New Law. SS Number can't be used for anything ID related. Can't be asked for for anything billing related. That includes medical.

 

[Raoul Ohio]

SS numbers were used all the time everywhere for decades, so probably everyone's is out there in a zillion places, it is hard to imagine that this is a big deal.

wondering how things got into the cloud? stuff gets copied and saved all the time. this posting will probably be all over the cloud by tomorrow, along with everything else.

 

[chemodalius]

Back in the early 2010s I was an IT student worker for a department at my university (like one degree program, not the whole university). I have no idea how effective it was, but I remember having to run a program on all the computers that looked for PII (especially SSNs) so we could remove it. We mostly could run it through the network/domain rules, but we were strict enough about it that I even had to put it on a flash drive and run it on computers that were entirely disconnected from the internet. I remember mostly finding 2 groups, patient information in research labs and prospective student info on the person in charge of registrations, lol.

 

[RZetopan]

Ah Columbia. The vastly overpriced community college of the Ivy League.

And notice how quickly they folded to the Orange Shitgibbon's shakedown. As a result, They need to suffer for their continual "we don't really care about the students"*. Keeping records long term, even about non-students, shows how unserious they are about their security.

*Their students are merely regarded as a source of continual income. Education, is a distant concern, as their quick removal of DEI and their paying off the mobster shakedown showed.
https://www.columbiaspectator.com/n...ump-administration-to-resume-federal-funding/

 

[raxadian]

Still the worst ID System Americans have.


View: https://www.youtube.com/watch?v=Erp8IAUouus

 

[SittingDuc]

Data retention? Purging of backups? Please. Those policies are on paper in a three-ring binder somewhere, piled in cardboard printer paper boxes stored ten layers deep in a closet nobody uses.

"Beware of the Leopard"

 

[ChaosFenix]

I honestly feel we need to implement not just a right to be forgotten but a duty to forget. Businesses should be held liable for keeping personal records for longer than is reasonable depending on the type of data in question. For example 7 years for financial records and maybe as little as a year for personal records where no money changed hands. This could help clear up instances where a company just hoards data. In addition to this I would also extend that liability to covering data that is non necessary to provide the service in question. My bank may have a valid reason 5o having my SSN for example. Facebook on the other hand should be penalized for grabbing this information even if you are an active customer.

 

[Marlor_AU]

There are two real issues here.

Firstly companies need to be liable for holding on to information too long. In Europe, the GDPR makes this explicit. Companies have a legal requirement to only hold data for as long as necessary, for a specific purpose, and to ensure data is deleted or anonymised once the purpose ends or defined timeframe is exceeded.

Data hoarding comes with risks, but it easily becomes the "default option". The only way to prevent this from happening is to have actual consequences for companies who engage in the practice.

Secondly, I have no idea what is going on with SSNs in the US. When I lived there, I was constantly asked for the number by virtually every company I engaged with. Trying to get by without a SSN for the first few months I was there seemed almost impossible. Yet, this number that everyone asks for is also treated as a credential that can expose you to risk if disclosed? Either it's a public identifier, or it's private information, it can't be both. This needs to be sorted out properly.

Plenty of countries get by without any form of universal ID number for individuals (privacy advocates often shoot down the idea whenever it's proposed) so instead a mishmash of different IDs for different purposes are used. On the other hand, plenty of countries do have a national ID system, but it's never used for security, so you could tattoo it on your forehead and still not be exposed to privacy risks. The US is the only country I'm aware of that requires you to have an ID number, give it out willy-nilly, but also treats it as some form of private credential. It is frankly madness.

 

[wardred]

The entire SSN database is available at this point.
It needs to be replaced with some sort of two factor system.
There is absolutely no reason a doctors office, insurance, loan agency needs your SSN.
A valid DL should suffice.

We have public/private key infrastructure.
We have the ability to get temporary keys.

Edit: Initially getting this number may be as onerous as getting a passport for those who aren't issued it at birth. NEVER GIVE THIS KEY OUT. (Even if you do, or it's stolen, there's some way to get a new key issued to you and the old key revoked. Maybe that's going to a government office with your ID to prove who you are and get that handled.)

If you need to apply for credit, for school, for loans, jobs, whatever, you can get yourself a temporary key that's good for an arbitrary amount of time. Let's say you can even choose the timeframe, up to 90 days. (You could have up to two temp keys out at a time so you don't have to sweat not being able to apply for jobs when one expires.)

That lets companies or other agencies use something with a very definite end date. Years later you don't have to worry about somebody getting a motorcycle or a job in your name with your for life, unencrypted, issued once and never revoked "unique", and often guessable, number.

If you don't need a 90 day window, then that number may only be good for a week or a few days.

This would also move some of the burden / responsibility for identity and credit everything from Experian and private industry to the government. I think it's ridiculous that we have three companies whose exclusive jobs are to be basically spies tracking all sorts of private data on citizens, selling it, and are the guardians of identity that so many companies go to instead of, or sometimes in addition to, the government.

This could easily be used as a universal citizen identifier for voting. A "permanent/revokable" number could be given to states for drivers licenses and other state government functions. Only the state agencies would be able to use that number, and even that could be revoked and reissued if there was a breach at the state level.


There's lots that would need to be figured out - particularly for people without access to tech and/or who are prone to losing such important information. We'd want it to work well for homeless, tech illiterate, phone and desktop only using people, etc. Probably this would involve offices and/or the ability to mail things to people.

Edit: And a second factor to make it even more secure. Please, please, please allow one of the standard authenticator app 2nd factors rather than forcing SMS and/or your proprietary authenticator app.

 

[Spud Spudly]

I understand your curiosity, but I really hope you did this for the sake of writing this story. Because otherwise all this research just seems like a real waste of time like who knows where the data breach came from these days. Who knows how they got your social. I tried to change my password on some service the other day and they wouldn’t let me choose it because I use the same password for a different site and they told me it had already been hacked somehow. Whatever. Your Social Security number is already for sale somewhere. That horse left the barn a long time ago. As long as nobody’s actively stealing from you, it’s not worth it

 

[lunatic_cringe]

The fact that Columbia had lists like that seems about par for the course. Back in the latter couple of decades of the previous century, and then into the early days of this one, SSNs were any inexperienced or lazy DB developer's way to create a unique ID for each entry in a list of people. The government had already done 90% of the work to ensure uniqueness and integrity. I'd bet there are countless schools and universities out there with rogue databases of SSNs. It wasn't just schools, though. Verizon was still using SSNs when I signed on with them in '04. When I questioned them at the store, the answer was some mumbo-jumbo about a credit check (that they never did, btw) even though I was putting my credit card on autopay. Basically, it was, "Fork over your SSN or no phone for you!" It wasn't all that long ago that you could still bring up your account on their website with a SSN query. Anyone wanna bet they still have that data stashed away?

 

[johnsonwax]

The fact that Columbia had lists like that seems about par for the course. Back in the latter couple of decades of the previous century, and then into the early days of this one, SSNs were any inexperienced or lazy DB developer's way to create a unique ID for each entry in a list of people. The government had already done 90% of the work to ensure uniqueness and integrity. I'd bet there are countless schools and universities out there with rogue databases of SSNs.

It's not usually used to create unique IDs. It's used to join data from disparate datasets. If you buy data from College Board and also buy data from ACT, how do you join those two datasets to align the same data for the same person? Names and addresses are fairly unreliable to match without a lot of data cleaning effort, so SSN becomes a reliable key to join on even if you don't want to retain SSN - because there are no other reliable keys to use.

Pretty much every data space has this same problem, where there's a kind of mutual agreement on what identifier to use as a key - Title IV school codes, Carnegie codes, and so on. If the government doesn't provide a valid for use key, some other key will be appropriated from whatever source is convenient. Governments create this problem by making it legal to do these things and then making it difficult - so of course data gets misused. If they want it to be legal, then provide a solution to the problem. If they don't want to provide a solution, then make it illegal.

 

[lunatic_cringe]

It's not usually used to create unique IDs. It's used to join data from disparate datasets. If you buy data from College Board and also buy data from ACT, how do you join those two datasets to align the same data for the same person? Names and addresses are fairly unreliable to match without a lot of data cleaning effort, so SSN becomes a reliable key to join on even if you don't want to retain SSN - because there are no other reliable keys to use.

Pretty much every data space has this same problem, where there's a kind of mutual agreement on what identifier to use as a key - Title IV school codes, Carnegie codes, and so on. If the government doesn't provide a valid for use key, some other key will be appropriated from whatever source is convenient. Governments create this problem by making it legal to do these things and then making it difficult - so of course data gets misused. If they want it to be legal, then provide a solution to the problem. If they don't want to provide a solution, then make it illegal.

Thank you. You did a far more thorough job of presenting the problem than I. Where I came from (government) we had the enormous problem of people who knew just enough SQL Server or MS Access to get into trouble. They'd create what we called, "rogue databases" by pulling down data from one or more corporate systems and importing it into their desktop DB of choice. But because they didn't know how to do what you describe, the SSN became an instant, easy unique key. This happened all the time. Often these things developed a life of their own and went into a sort of unofficial, undocumented production status. The network admins would have to perform regular whack-a-mole scans of the file repositories to hunt them down. Technically, this was all illegal under the Privacy Act of 1974, but as you can imagine, few paid attention until massive data breaches started making people worry about their jobs.

This was usually stuck on the office wall or monitor of those who of us had to worry about this sort of thing.

The Privacy Act wouldn't have applied to a university, but Big Education works much like Big Government. Since Columbia was being so stubbornly obtuse and cryptic about what happened, my working (conspiracy) theory is that this started as some ancient rogue database created in the Admissions department.

 

[.wojtek]

Usania reliance on SSN (with its Schroedinger nature if being both public and private at the sane time) while fighting tooth and nail any sane ID document is wholly amusing ... (same applies to Brits and, supposedly rest if the anglosphere)

 

[k h]

Spouse got the letter, and so did I. We've had nothing to do with Columbia, ever. Why were they tracking us?

 

[Bacterially Sound]

With Columbia being under massive attacks by Trump I am left wondering if there is some external connection to all this.
But that moves into conspiracy theories, not that there is not lots and lots of high up conspiring going on.

 

[ColinPearson]

I've spent about 20 years working in petrochem facilities. For pipe and vessel welding, the welds made by each welder are tracked so that any defective welds can be redone by the original welder, and so companies can keep track of their welders' performance. To do that, welders need an ID# (often called a "stencil") so they can be easily tracked. These are usually a couple of characters, something quick and easy. That all being said, I've seen older records where the welders' full SSN was used as their stencil. These records are sometimes shared to dozens of individuals during a bid process. How's that for a weird source of data breach?

 

[rick9004]

Your SS Number is just not secret anymore no matter how hard you try. Too many ways for it to go into the wild.

Two past incidents I learned about when I was developing software. 1) Early on a store had decided that their main ID for you would be your SS Number. This was changed.

2) A very large and well know EU car company send me a file that I needed from them to incorporate the data into a large database we were constructing. That file which was sales data, each sale attached to a SS number. When I asked the car company is this really their SS number, they said "sure, we use that number on all sales data we record. and more"

 

[The Lurker Beneath]

Usania reliance on SSN (with its Schroedinger nature if being both public and private at the sane time) while fighting tooth and nail any sane ID document is wholly amusing ... (same applies to Brits and, supposedly rest if the anglosphere)

Ireland is pretty anti-ID cards (an attitude that is understandable but perhaps a little quaint in this day and age) but we don't use our PPS numbers - a code issued to everyone on entering employment or the social welfare system - for ID. Generally photo-ID of some kind is required. [Government agencies definitely do use the PPS as an internal tag when passing clients from one to the other, but outside government it's never used for that AFAIK.]

 

[spVolt]

When I started my current job (working with HR/recruitment systems), I was kinda annoyed that someone decided that all the recruitment data from pre-2023 should be wiped. That's some great analytics gone!

These days, I thank that person daily. Saying "nope, deleted" simply answers every question. That data has never been useful. I'm tempted to just wipe the database every 12 months.

That won’t work out so well if the Pritzger Justice Dept subpoenas that organization in 2029 looking for evidence of Trump-driven discrimination. Given the long time periods involved in the academic world discrimination investigations could easily request 20 or even 30 years of data.

 

[pinkstone]

I'm in the same boat as Ms Belanger -- I received a breach notification from Columbia by mail in early February, but have no obvious connection (enrolled or employed), so I was like "whuh?" That the root cause is SAT results or applications, from the early 1990s, sounds plausible -- I may still have a relevant record in my deep hardcopy archives that would confirm the hypothesis.

Re: traces, I occasionally get breach notices from unfamiliar entities who, upon investigation, do have an connection, but it's via a subcontractor or they've been renamed three times. FWIW, as advised by @Spaghettified above, I have frozen my credit reports (and those of my parents) as a best-practices precautionary measure.

Same here, late 90's I took the SAT and possibly checked the box to send my scores to Columbia but otherwise never applied or had any contact with them. Received a letter to my childhood home where luckily my family still lives. There really should be a financial punishment for hoarding data of folks with no affiliation with the school for close to 30 years.

 

[McTurkey]

If you have a Social Security Number and are old enough to have learned how to read this sentence, that SSN has been in a number of data breaches greater than zero.

Future privacy legislation needs to focus on the revocation of authority to use an SSN as a piece of identifying information for anything. Thus making identity theft resulting from stolen SSNs functionally impossible. But of course it's not just that number--it's all the data tied to the number. More broadly I think we need new and better ways of authenticating someone's identity. Not just for the functions where we've traditionally provided an SSN, but for reducing vulnerability to scams--especially now in the age of AI where even a lot of biometric authentication is trivial enough to forge.

 

[zaghahzag]

SSNs were driver’s license numbers in some states in the 90s still.

Every soldier going through basic training shouts their social every time they eat in a cafeteria or go through the gas chamber.

Where did we go wrong treating them like private information? They never have been.

I was going to say, it was on both my college id and my drivers license when I lived in Illinois.

It's absurd that these schools haven't deleted or obfuscated all this data. 100% gross incompetence.

 

[jf1450]

I served 20 years in the Army from '68 - '88. I can't remember exactly when but towards the middle of that time the Army changed serial numbers from a random number to SSN. I still have my dog tags stamped with my SSN for my serial number.

 

[Binarian]

Every soldier going through basic training shouts their social every time they eat in a cafeteria or go through the gas chamber.

The gas chamber I can understand, but why the cafeteria?

 

[Jim Salter]

Data retention? Purging of backups? Please. Those policies are on paper in a three-ring binder somewhere, piled in cardboard printer paper boxes stored ten layers deep in a closet nobody uses.

Or in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying BEWARE OF THE LEOPARD.

 

[Jim Salter]

At some point we really need to let go of thinking SSNs are private data. Raise your hand if you think your SSN is NOT in the Equifax and National Public Data torrents.

Mine is in both of those, at least three separate (disclosed) breaches of my state's Treasury department, and more.

Also, if you believe all those claims that court records always redact your SSN in searches of public records, I've got some oceanfront property in Utah you might be interested in. Special price, just for you!

Even when courts redact your SSN from public record searches "correctly," they expose the last four. Here's the fun part: unless you're a fourteen year old, that doesn't help. The SSA only started issuing pseudorandomly generated SSNs in 2011.

If you got your SSN prior to 2011, it followed a format: the first three numbers represent a particular geographical area (just like the area code in a phone number), the next two represent an arbitrary "grouping", and the final four--the part the courts expose in public records even when they follow their own redaction guidelines correctly and fully--is a simple sequentially generated number.

So if you know what state somebody is born in, you know the first three. You may be able to infer the next two from their approximate age, especially if you have previously leaked and decoded PII available to compare it with other SSNs from the same area. And even if you have no clue about the grouping, but you have the birth state and last four, you've only got 100 combinations left to try!

 

[Jim Salter]

The gas chamber I can understand, but why the cafeteria?

I served in the Navy and I don't recall having to spit out my SSN in the boot camp chow line... But we were required to produce it on demand, and it was demanded frequently because very few recruits showed up to boot camp with it already memorized.

So we essentially got terrorized about it until we all did. "WHAT'S YOUR SOCIAL, RECRUIT?!" and stand the fuck by if you couldn't recite it as rapidly and accurately as your own first name.

 

[Jim Salter]

Sometimes I’ll finish my second plate of food when my daughters have only taken a few bites from theirs. They’ll ask me how in the world I manage to eat that fast. My reply: “High speed military training”. Nothing like eating your meal with a drill sergeant breathing down your neck to motivate you.

This squid disagrees. No need whatsoever for the drill sergeant or company commander to breathe down your neck.

At RTC Orlando in '89, they just gave us five minutes and five minutes only once seated, then forced us to de-ass the table and leave the chow hall whether we were "done" or not.

Most recruits, me included, got distracted at least once and didn't pound down that mediocre at best food fast enough.

And boy howdy, when you're running several miles a day every day, doing 100+ pushups a day, every day, AND MORE strenuous physical activity, YOU WILL LEARN YOUR LESSON if you screw up and don't get enough food down your gullet during any of the three five minute periods you have ACCESS to any food!

I learned permanently the first time. So did most recruits. As I recall, even the slowest learners only made that mistake three or four times. Turns out humans are wired pretty thoroughly to avoid that kind of thing.

 

[jamesdedon]

How about we just have some sort of in-person validation when taking on debt? Boom! Problem solved!

 

[Surtrus]

I'm not sure why this matters any more. No one will let you apply for a loan or anything like that any more based on only an SSN, because something like 97% (80% of all are in well known databases, and the next 17% are known to have leaked but have not made their way into the well known databases yet) of all SSNs have been disclosed in at -least- one data breach. The bar for identity theft is higher than having your SSN exposed.

 

[Uragan]

I’m trying to think of situations where I’ve had to disclose my SIN other than when I’ve filed my taxes or citizenship application… and I can’t think of any off the top of my head.

 

[Dude_Man]

Don't forget to keep your credit frozen friends, could save you a ton of trouble in case of identity theft

And if you have kids, freeze theirs too. It's a total PIA with paper copies via snail mail, but after the Instructure/Canvas school software breach a couple of years ago I just bit the bullet and did theirs too.

 

[mnemonicoverload]

RealID is just a stamp on your state ID showing that the state met some minimum standard in verifying your identity. What is it you think RealID could be “used for” that you’re so worried about?

Doesn't the standard require that it show your citizenship status to qualify as RealID? Can't imagine any racist cops ever looking at that to decide if they want to single you out for harrassment because you're a "only" a legal resident, not a citizen?

 

[Tonkaman]

Doesn't the standard require that it show your citizenship status to qualify as RealID? Can't imagine any racist cops ever looking at that to decide if they want to single you out for harrassment because you're a "only" a legal resident, not a citizen?

Only in some states. Which is why the SAVE Act was such a big deal.

Passports are the only proof of citizenship people have outside of their birth certificate, or if you live in about 5 states what's called an "enhanced ID" which can function as a passport with Canada. An enhancedID is a RealID but not all RealIDs are enhancedID.

 

[Reaperman2]

I understand your curiosity, but I really hope you did this for the sake of writing this story. Because otherwise all this research just seems like a real waste of time like who knows where the data breach came from these days. Who knows how they got your social. I tried to change my password on some service the other day and they wouldn’t let me choose it because I use the same password for a different site and they told me it had already been hacked somehow. Whatever. Your Social Security number is already for sale somewhere. That horse left the barn a long time ago. As long as nobody’s actively stealing from you, it’s not worth it

The point here isn't the release of SS numbers, genius. The point is that no decently run IT organization should be maintaining non-critical (let alone totally useless) information on anyone, ever. This is just common sense data hygiene, which Columbia's IT is apparently too incompetent to follow.

I worked in university IT for over 2 decades, and we undertook multiple projects (in various silos, since there was a time when all schools within the university kept their own data) to delete unnecessary and outdated data that still existed from the '80s. Maintaining that stuff costs money every year; identifying and deleting it (and then creating a forward-looking policy for what gets kept and what doesn't, and for future audits) is a one-time activity that pays dividends later on. It also happens to have the side effect of protecting private information, and making the organization less of a target for hackers.

Your post might as well have been written by a high school kid (and maybe it was!) because no one who's ever had a real job would miss the very obvious point of this article.