A data breach of student loan servicer Nelnet Servicing (Nelnet) has affected over 2.5 million student loan borrowers throughout the United States. The breach affected individuals whose students loans are serviced by the Oklahoma Student Loan Authority (OSLA) and Edfinancial Services (Edfinancial) and compromised the names, addresses, email addresses, phone numbers and Social Security numbers of borrowers.
In July 2022, Nelnet reported to OSLA and Edfinancial that they had discovered a vulnerability believed to be the source of the breach, according to a breach notification report filed by Nelnet to the Office of the Maine Attorney General. The student loan servicer then initiated an investigation led by third-party cyber forensics professionals into the vulnerability. The investigation discovered that personal identifiable information (PII) of 2.5 million student loan borrowers was accessible by an unknown actor who gained access to the network. According to a notification letter sent to affected Edfinancial borrowers on August 26, 2022, the PII was accessible to the unknown actor between June 2022 and July 22, 2022.
After the investigation, Nelnet notified the U.S. Department of Education of the breach, who then contacted law enforcement. The PII impacted by the breach included names, Social Security numbers, home addresses and more, but did not include financial or payment information, Edfinancial wrote in the notification letter.
"While it doesn’t appear that payment or bank account information was among the stolen data, the compromised PII and contact information has potential to be leveraged in future social engineering and phishing campaigns," said Melissa Bischoping, Director, Endpoint Security Research Specialist at Tanium. "With recent news of student loan forgiveness, it’s reasonable to expect the occasion to be used by scammers as a gateway for criminal activity," she continued.
In response to the data breach, OSLA and Edfinancial notified affected borrowers and Edfinancial provided two years of credit monitoring and identity theft protection at no cost to data breach victims. Multiple law firms have announced investigations into the incident, citing the possibility of a class action lawsuit.
"This is an indicator that breached companies will continue to face more litigious actions after a data breach, which can often be attributed to a lack of cybersecurity skills and/or awareness within their security team," said David Maynor, Senior Director of Threat Intelligence at Cybrary. "Investing in ongoing skill development and training is critical to mitigating threats that could have serious financial and legal ramifications."
Madeline Lauver is a former Editor in Chief atSecurity magazine. Within her role at Security, Lauver focused on news articles, web exclusives, features and several departments for Security’s monthly digital edition, as well as managing social media and multimedia content.
FAQs
The student loan servicer then initiated an investigation led by third-party cyber forensics professionals into the vulnerability. The investigation discovered that personal identifiable information (PII) of 2.5 million student loan borrowers was accessible by an unknown actor who gained access to the network.
What data breach exposes records of 2.5 million student loan borrowers? ›
A data breach at Nelnet may have exposed the data of about 2.5 million student loan borrowers serviced by Edfinancial Services and Oklahoma Student Loan Authority.
What is the student loan data breach leaks 2.5 million Social Security numbers? ›
An investigation determined that intruders accessed student loan account registration information between June and July 2022. The stolen data includes names, addresses, emails, phone numbers and social security numbers for 2,501,324 student loan account holders.
What are examples of a data breach choose multiple answers? ›
Read on, and we'll discuss the seven most common types and how they can affect your business.
- Stolen Information. ...
- Ransomware. ...
- Password Guessing. ...
- Recording Keystrokes. ...
- Phishing. ...
- Malware or Viruses. ...
- Distributed Denial-of-Service (DDoS)
Approximately 2.2 million affected borrowers are assigned to Edfinancial, while approximately 250,000 are assigned to OSLA. Of the accounts serviced by OSLA, 1,477 borrowers live in Oklahoma. If your account has been affected, you will receive a letter with more information.
What information is leaked in a data breach? ›
A data breach can result in the leak of several types of information: Financial data—such as credit card numbers, bank details, tax forms, invoices, financial statements.
What data was leaked in the Equifax breach? ›
Information accessed in the breach included first and last names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers for an estimated 143 million Americans, based on Equifax' analysis. Information on almost 14 million British residents was also compromised.
What if your SSN gets leaked? ›
Contact your local police department and tell them that your identity has been stolen and that you'd like to file a report. They should provide you with a copy of the report when it's done, but if they don't offer you one, be sure to ask for it.
Is Biden being sued over student loans? ›
Two groups of Republican-led states have sued President Joe Biden over the student loan repayment plan he launched last year, arguing he's once again overstepping his authority to cancel student debt.
What caused the student loan crisis? ›
Today's student debt problem can be traced to the 1960s, when California Gov. Ronald Reagan cut higher education funding and raised tuition. Once considered a public good, higher education became seen nationwide as a private commodity.
A data breach is any security incident in which unauthorized parties gain access to sensitive or confidential information, including personal data (Social Security numbers, bank account numbers, healthcare data) or corporate data (customer data records, intellectual property, financial information).
What are the three 3 kinds of data breach? ›
The most common types of data breaches are: Ransomware. Phishing. Malware.
What is an example of a data breach? ›
Examples of personal data breaches include: Human error, for example an email attachment containing personal data being sent to the incorrect recipient or records being deleted accidentally. Sharing of passwords or other credentials with third parties.
Is EdFinancial considered a federal student loan? ›
EdFinancial Services is one of several loan servicers contracted by the federal government to manage billing for federal student loans. Based in Knoxville, Tennessee, EdFinancial has been in the student loan business for over three decades and services loans for over five million borrowers as of August 2023.
Has Sallie Mae been hacked? ›
According to the Attorney General of Massachusetts, Sallie Mae reported a data breach after learning that an unauthorized party may have been able to gain access to confidential consumer information. The company launched an investigation and were able to confirm the breach.
Is Osla shutting down? ›
The Department of Education announced in April 2023 that it signed new contracts with five student loan servicers. OSLA's contract was not renewed in the servicer overhaul, so it will only continue servicing loans through December 2024.
How did the Nelnet breach happen? ›
Sometime in June, unidentified intruders compromised Nelnet Servicing and stayed on its systems until July 22. The hackers compromised the company's network, likely after exploiting a vulnerability. About 2,501,324 individuals have been impacted by the breach.
What is the data breach 2017? ›
In September of 2017, Equifax announced a data breach that exposed the personal information of 147 million people.
What is the largest data breach on record? ›
The largest reported data leakage as of January 2024 was the Cam4 data breach in March 2020, which exposed more than 10 billion data records. The second-largest data breach in history so far, the Yahoo data breach, occurred in 2013.
What is the biggest data breach in history? ›
Here are the top ten biggest data breaches ever, and how many records were leaked in the process:
- Yahoo (2014) – 500 million.
- Friend Finder Network (2016) – 412 million.
- Exactis (2018) – 340 million.
- Airtel (2019) – 320 million.
- Truecaller (2019) – 299 million.
- MongoDB (2019) – 275 million.
