EdFinancial and the Oklahoma Student Loan Authority announced that personal information for more than 2.5 million student loan borrowers was exposed in a breach at their servicing provider, Nelnet. According to notices mailed to affected customers, the breach targeted Nelnet Servicing and impacted its servicing system and web portal. Nelnet revealed the incident on July 21, 2022 after discovering a vulnerability that exposed borrowers’ data from June 1 to July 22 of this year.
An investigation found exposed information included names, addresses, email addresses, phone numbers, and Social Security numbers—enough for identity theft and phishing. Financial data was not accessed. The breach impacted 2,501,324 student loan accounts.
Nelnet’s general counsel reported the breach to Maine regulators, saying it was discovered August 17 and occurred over nearly 3 months. Notices to customers, however, said the breach was found and stopped on July 21, introducing uncertainty over its timeline and scope. A notification letter to impacted parties has been sent to the Office of the Maine Attorney General.
The exposed information could facilitate social engineering and phishing attempts, especially around new student loan forgiveness programs, warned Melissa Bischoping, an endpoint security specialist. Impersonation scams may target affected students and families, leveraging their trust in Nelnet and the stolen data.
To help victims, Nelnet offers two years of credit monitoring, credit reports, and up to $1 million in identity theft insurance. The company claimed its cybersecurity team quickly closed the vulnerability and is investigating the breach with forensic experts. But questions remain over how the exposure lasted months and the risks now facing millions of borrowers.
Student loan servicers like Nelnet maintain troves of sensitive personal data, making them tempting targets for cybercriminals seeking information that can be exploited at scale. Institutions throughout the financial sector must aggressively monitor for vulnerabilities and breaches that can undermine customers’ privacy and security. Over 2.5 million people now anxiously await further details on a failure that compromised their financial identities and access. With student debt issues already destabilizing lives and livelihoods, this breach introduces new layers of precariousness and harm. Its impacts may linger for years in higher education finance and beyond.