The Southern District of New York is the venue for a proposed class action against Columbia University, alleging negligence and failure to meet commonly accepted security standards, over a June 2025 data breach that exposed 1.8 million Social Security numbers, including an undisclosed number of people who never applied to, attended, or worked for the school.
Columbia’s public breach notices addressed themselves exclusively to “members of the Columbia community,” warning of an “unauthorized party” obtaining student, applicant, and employee data. What Columbia didn’t disclose, and didn’t acknowledge until pressed this week, is that it had warehoused SSNs from entirely unaffiliated people. The school only publicly confirmed this group of victims Wednesday.
The data trail runs back decades. Before 2012, Columbia received prospective student information, including SSNs, from student recruitment services, scholarship programs, and testing programs. The College Board stopped sharing SSNs in 2018; ACT ended the practice about a decade ago. Columbia itself discontinued SSN use as a student identifier in 2012 and intended to purge the old records, but inadvertently missed a legacy database. That database sat in Columbia’s systems until hackers struck.
Bill Budington, a senior staff technologist at the Electronic Frontier Foundation, called the 20-plus years of retention “really indicting” and suggested the FTC could investigate as an unfair and deceptive business practice. The harder question: any university that ran similar recruitment pipelines in that era may hoard the same buried data, and most don’t know what’s left.
In re Columbia University Data Breach Litigation, docket 1:25-cv-05541 (S.D.N.Y.), is stayed pending private mediation. Columbia’s response isn’t due until August 10.
James Okafor