Data breach at Nelnet exposes 2.5 million student loan records

SECURITY

Listed student loans and financial services provider Nelnet Inc. has suffered a data breach, exposing some 2.5 million records belonging to the Oklahoma Student Loan Authority and EdFinancial Services LLC.

According to an Aug. 26 sample notification letter, Nelnet Serving, a division of Nelnet that provides services to third parties, informed OSLA and EdFinancial on or about July 21 that it had discovered a vulnerability that lead to what it called a “data event.” The company tasked its cybersecurity team to take action to secure its servers, block suspicious activity and fix the issue. Nelnet also hired third-party forensic experts to determine the nature and scope of the breach.

On Aug. 17, the investigation determined that some student loan account details were “accessible by an unknown party beginning in June 2022 and ending July 22.” Data potentially stolen included names, addresses, email addresses, phone numbers and Social Security numbers. The U.S. Department of Education and law enforcement were subsequently notified of the breach.

What is missing from the disclosure is the form of the attack and exactly how much data was exposed or stolen. OSLA and EdFinancial have subsequently informed affected individuals who may have been affected and have offered free identity theft protection services.

“The exposed data contains details crucial for future impersonation or identity theft,” Gil Dabah, co-founder and chief executive officer of data privacy vault provider Piiano Privacy Solutions Inc., told SiliconANGLE. “Companies dealing with sensitive personal information, especially SSNs, must protect such personally identifiable information differently.”

Aaron Sandeen, co-founder and CEO of managed security services company Cyber Security Works Inc., noted that security teams need to be smarter and act proactively before a breach such as this occurs. “As this incident shows, simply blocking the attack as soon as it is detected is not enough anymore,” Sandeen explained. “Crucial data such as names, addresses, and social security numbers have already been exposed.”

David Maynor, senior director of threat intelligence at cybersecurity training firm Cybrary Inc., pointed out that “while we don’t have any more information on the breach that has been publicly disclosed we did find that several class action lawsuits are already being prepared despite the notices of the attack going out on Aug. 26.” Maynor highlighted an investigation into a possible class action lawsuit by Cincinnati law firm Markovits, Stock & DeMarco LLC.

“This is an indicator that breached companies will continue to face more litigious actions after a data breach, which can often be attributed to a lack of cybersecurity skills and/or awareness within their security team,” Maynor added. “Investing in ongoing skill development and training is critical to mitigating threats that could have serious financial and legal ramifications.”

Image: Nelnet