Nelnet Data Breach Exposes Millions Of Student Loan Accounts

By   ISBuzz Team
Writer , Information Security Buzz | Aug 31, 2022 06:08 am PST

The Office of the Maine Attorney General said in a filing this week, that PII data of over 2.5 million people that had taken out student loans with either the Oklahoma Student Loan Authority (OSLA) or EdFinancial was exposed in a data breach. The breach affected Nelnet Servicing, a Nebraska-based technology services that provides web portals for both loan companies, that allow borrowers access to their loan accounts.

It is reported that 2,501,324 borrowers were affected by the breach. The exposed borrower information includes the following: Full name, Physical address, Email address, Phone number & Social Security Numbers.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Melissa Bischoping
Melissa Bischoping , Endpoint Security Research Specialist
August 31, 2022 2:10 pm

While it doesn’t appear that payment or bank account information was among the stolen data, the compromised Personally Identifiable Information (PII) and contact info has potential to be leveraged in future social engineering and phishing campaigns. Plus, with recent news of student loan forgiveness, it’s reasonable to expect the occasion to be used by scammers as a gateway for criminal activity.  

Attackers can craft “lures” to impersonate a provider to target customers. And because they leverage the trust from existing business relationships, they can be particularly deceptive. Receiving a nefarious email from a source sharing accurate PII can lend a false sense of security, making people more likely to click a link or, unbeknownst to them, engage with a threat actor.

It’s best to be skeptical on all occasions, especially when dealing with finances. Consider these takeaways to steer clear of targeted threat campaigns:

  • Visit only authentic loan servicing provider websites for transactions.
  • Avoid links in e-mails claiming to be “loan related.”
  • Analyze any emails related to loans, financing, etc. to confirm URLs, etc.
  • Verify phone numbers or e-mail addresses by going directly to the organization’s official website before engaging.
  • Monitor credit reports for signs of fraud”
Last edited 1 year ago by melissa.bischoping
David Maynor
David Maynor , Senior Director of Threat Intelligence
August 31, 2022 2:09 pm

While we don’t have any more information on the breach that has been publicly disclosed we did find that several class action lawsuits are already being prepared despite the notices of the attack going out on August 26th. Markovits, Stock & DeMarco, a law firm in Cincinnati has posted information on their effort here:

This is an indicator that breached companies will continue to face more litigious actions after a data breach, which can often be attributed to a lack of cybersecurity skills and/or awareness within their security team. Investing in ongoing skill development and training is critical to mitigating threats that could have serious financial and legal ramifications.

Last edited 1 year ago by david.maynor

Recent Posts

Would love your thoughts, please comment.x