The Office of the Maine Attorney General said in a filing this week, that PII data of over 2.5 million people that had taken out student loans with either the Oklahoma Student Loan Authority (OSLA) or EdFinancial was exposed in a data breach. The breach affected Nelnet Servicing, a Nebraska-based technology services that provides web portals for both loan companies, that allow borrowers access to their loan accounts.
It is reported that 2,501,324 borrowers were affected by the breach. The exposed borrower information includes the following: Full name, Physical address, Email address, Phone number & Social Security Numbers.
While it doesn’t appear that payment or bank account information was among the stolen data, the compromised Personally Identifiable Information (PII) and contact info has potential to be leveraged in future social engineering and phishing campaigns. Plus, with recent news of student loan forgiveness, it’s reasonable to expect the occasion to be used by scammers as a gateway for criminal activity.
Attackers can craft “lures” to impersonate a provider to target customers. And because they leverage the trust from existing business relationships, they can be particularly deceptive. Receiving a nefarious email from a source sharing accurate PII can lend a false sense of security, making people more likely to click a link or, unbeknownst to them, engage with a threat actor.
It’s best to be skeptical on all occasions, especially when dealing with finances. Consider these takeaways to steer clear of targeted threat campaigns:
While we don’t have any more information on the breach that has been publicly disclosed we did find that several class action lawsuits are already being prepared despite the notices of the attack going out on August 26th. Markovits, Stock & DeMarco, a law firm in Cincinnati has posted information on their effort here: https://www.msdlegal.com/blog/2022/08/nelnet-servicing-data-breach-class-action-investigation/.
This is an indicator that breached companies will continue to face more litigious actions after a data breach, which can often be attributed to a lack of cybersecurity skills and/or awareness within their security team. Investing in ongoing skill development and training is critical to mitigating threats that could have serious financial and legal ramifications.