A data breach of student loan servicer Nelnet Servicing (Nelnet) has affected over 2.5 million student loan borrowers throughout the United States. The breach affected individuals whose students loans are serviced by the Oklahoma Student Loan Authority (OSLA) and Edfinancial Services (Edfinancial) and compromised the names, addresses, email addresses, phone numbers and Social Security numbers of borrowers.

In July 2022, Nelnet reported to OSLA and Edfinancial that they had discovered a vulnerability believed to be the source of the breach, according to a breach notification report filed by Nelnet to the Office of the Maine Attorney General. The student loan servicer then initiated an investigation led by third-party cyber forensics professionals into the vulnerability. The investigation discovered that personal identifiable information (PII) of 2.5 million student loan borrowers was accessible by an unknown actor who gained access to the network. According to a notification letter sent to affected Edfinancial borrowers on August 26, 2022, the PII was accessible to the unknown actor between June 2022 and July 22, 2022.

After the investigation, Nelnet notified the U.S. Department of Education of the breach, who then contacted law enforcement. The PII impacted by the breach included names, Social Security numbers, home addresses and more, but did not include financial or payment information, Edfinancial wrote in the notification letter.

"While it doesn’t appear that payment or bank account information was among the stolen data, the compromised PII and contact information has potential to be leveraged in future social engineering and phishing campaigns," said Melissa Bischoping, Director, Endpoint Security Research Specialist at Tanium. "With recent news of student loan forgiveness, it’s reasonable to expect the occasion to be used by scammers as a gateway for criminal activity," she continued.

In response to the data breach, OSLA and Edfinancial notified affected borrowers and Edfinancial provided two years of credit monitoring and identity theft protection at no cost to data breach victims. Multiple law firms have announced investigations into the incident, citing the possibility of a class action lawsuit.

"This is an indicator that breached companies will continue to face more litigious actions after a data breach, which can often be attributed to a lack of cybersecurity skills and/or awareness within their security team," said David Maynor, Senior Director of Threat Intelligence at Cybrary. "Investing in ongoing skill development and training is critical to mitigating threats that could have serious financial and legal ramifications."