IT Security has collapsed and it's time to stop pretending otherwise
Your data is unprotected and being used without your agreement
Crawling down the alley on your hands and knee
I'm sure you're not protected, for it's plain to see
The Diamond Dogs are poachers and they hide behind trees
Hunt you to the ground they will, mannequins with kill appeal
Columbia University lost 1.8 million Social Security numbers; no one noticed
Columbia University was hacked last summer; hackers grabbed personal information, including Social Security numbers, from decades of students, faculty and community members. That stellar group includes Barack Obama, Ruth Bader Ginsburg, Elena Kagan and Warren Buffett.
And me!
But I haven’t taught at the Columbia Graduate School of Journalism since 1997. Nevertheless, I got a letter:
Even odder, my son who has never attended Columbia got the same letter. We did stop by, once, when he was in high school and doing college visits. But that’s the extent of his involvement with them.
But that’s not even the crazy one. Consider the plight of Ashley Belanger: But I don’t belong to the “Columbia community.” I have never applied for, attended, or worked for the school. And the letter sent to me—which arrived six months after the public notice—did not explain how Columbia obtained and exposed my SSN. All the letter said was that the breach affected “certain personal information about admissions, enrollment, and the financial aid process.” It directed me to sign up for free credit monitoring from Kroll Monitoring, a service Columbia hired to manage the hotline for victims.
It took a nightmare journey through Columbia’s victim support services before a Columbia official finally explained how decades of third-party data collection, combined with multiple unsuccessful data-removal initiatives, had led the school to warehouse data from so many unaffiliated people.
Please explain to me the purpose of privacy laws and regulations and policies when your Social Security number can end up in the careless hands of some giant institution without your agreement.
IT’s dirty secret is that all your data, public and private, has been treated as nothing more than raw materials, with no more consideration than a butcher has for a side of beef.
No matter how important your Social Security number is to you, it’s just a little more ground round for Columbia.
And IT’s dirty secret is secret no more. No one’s data has been secure for years, but everyone believed it was.
No more.
The illusion of security held because actual hacking was not that easy. IT security types could report defeating thousands and thousands of hacks because the vast majority of daily cyber probes, scans, and basic exploits were done by what’s called in the trade script kiddies—novice actors using pre-written scripts, automated scanner tools, and exploit frameworks created by much more advanced hackers. The security job was mostly keeping up to date by reading the nerd message boards and patching to block script kiddie tools as they were revealed.
The real damage was done by high-level hackers and government agencies, but it was easy to look secure by fending off hordes of script-kiddie assaults.
No more. AI’s have turned today’s script kiddies into an existential threat. And all that ill-protected data is suddenly widely exposed:
Meta’s AI chatbot will let you change high-profile Instagram account emails if you ask nicely, effectively giving you ownership.
Anthropic’s refusal to drop the guardrails on Claude AI for the Pentagon would have been much more impressive if it hadn’t come 48 hours after hackers used Claude to break into Mexican government systems and download 195 million taxpayer records, voter rolls and much, much more.
Anthropic: Our guardrails keep Claude AI safe! Nerd: Kewl! Now hold our beer while me and Claude plunder Mexico
Perfecting Equilibrium Volume Four, Issue 33
The IBM 2026 X-Force Threat Index title is AI-Driven Attacks are Escalating as Basic Security Gaps Leave Enterprises Exposed; attacks are up 44%, with ransomware and extortion groups surging 49% year over year. Large supply chain and third-party compromises nearly quadrupled since 2020.
But here’s the real indicator of how bad IT security has collapsed: what have you heard about the Columbia hack before this? A hack that exposed 1.8 million Social Security numbers and other highly personal information from a community that includes presidents and Supreme Court justices?
There was hardly any coverage outside the tech rags because it isn’t news. Try a Google search on Columbia University hack:
Man bites dog is news because it rarely occurs. Dog bites man is Just Another Day That Ends In A Y.
And now hacks are Just Another Day That Ends In A Y.
And remember the real twist in this story: Neither my son nor Ashley Belanger has ever been part of the Columbia community in the first place. They never agreed to have their personal information shared with the university.
And yet it was there. Unprotected. And now lost.
But no worries! Columbia is providing all of us affected with two years of credit monitoring!
Data-level security is the only answer. Either security is embedded in the data itself, or others will control it. And if they do, you’ll have no more say in the use of your most important private and corporate data than my son or Ashley Belanger.
Comments of the Week
Dagmar Metzler on And I realize you’re not coming back anymore: Much love and greetings to you all. Thank you for this piece.
And much love to you and Martin in return! Miss you guys!
Steve Ross on And I realize you’re not coming back anymore: Don’t worry about your memories. You have the truly important ones locked up in that brilliant mind of yours. And I can fill you in on exactly what you were doing for your Columbia students. Sigh.
Thank you, my friend.
Tom Johnson on And I realize you’re not coming back anymore: Lovely piece, Chris.
Thank you, my friend.
Charles Smallman on And I realize you’re not coming back anymore:
I feel your loss, Chris; I lost my 71 y.o. father to cancer in May of ‘96,and miss him every day. We don’t choose our family, but can fully appreciate the choices that others made for us...
So sorry for your loss, my friend. It’s been 30 years…but I still see things and think I’ve got to tell Cathy…
The Perfecting Equilibrium Digest, June 3-9, 2026
Perfecting Equilibrium Stories
Easter Eggs
My brain is a peculiar place; it likes to play word association, and then play back songs with those words. Here are the songs playing in my mind as I wrote these articles.








I was on faculty until 2005 AND I'm a Columbia graduate, but never got the letter. My wife, who is a Columbia grad, did. Last month, she was sent a new Medicare card with new ID codes and a vague note about a security issue. I assume, but don't know for sure, that this break was the reason. But in truth, people leave a long ID trail as we amble through life. The last four digits of our Social Security number are public. The first three digits, for all but the younger generation, increase from east to west, just like ZIP codes. That leaves only the middle two digits to guess outright. Our school graduation years are birthdays litter the internet as well. AI (even ML AI) has long allowed combining seemingly benign data such as email addresses, phone numbers, various billing records kept by any store in customer databases with more sensitive data. Now it is easier.
IT security has been a lost cause since it was "corporatized" into SANS training and endless certifications and so on. For most corporations, it was the Last Place You'd Find The White Men Before They Were Fired, so I saw a lot of places where "Security" also did second-level troubleshooting and anything the moron aliens/immigrants couldn't find in their runbooks. But most of the people in "Security" have little idea of how to actually secure anything and in my experience they are all easy to Mitnick-social-engineer.