The same reason any college needs it. And a security breach can happen anywhere, anytime.
You're making it sound like the yeshiva was behind the CC apps while according to the rumor thus far, it was an employee. This can happen anywhere.
The question is not whether the Yeshiva knew about it, or not.
The questions are, once they found out, did they take the (legal) necessary steps to ensure peoples' privacy was protected, and have the proper authorities been contacted?
Is there an investigation currently taking place?
Have they implemented further security measures to prevent future fraud?
Has anybody been compensated? Should anybody be compensated? How much?
Can the people who were not affected in the past be victims of future fraud from the same source?
What can the bochurim do to protect
themselves from this guy?(who may, or may not actually have in his possession their SSN's)
I'm certain there are more questions to be asked, but that's what came to mind initially.