In a breach that could lead to further problems, 2.5 million people were affected.
Over 2.5 million loanees have been notified by EdFinancial and the Oklahoma Student Loan Authority (OSLA) that their personal information was compromised in a data breach.
According to a breach disclosure letter, the target of the breach was Nelnet Servicing, a Lincoln, Nebraska-based servicing system and web portal provider for OSLA and EdFinancial.
Nelnet notified affected loan recipients of the breach via letter on July 21, 2022.
“[Our] cybersecurity team took immediate action to secure the information system, block the suspicious activity, resolve the issue, and launch[sic] an investigation with third-party forensic experts to determine the nature and scope of the activity,” the letter states.
By the 17th of August, the investigation had determined that personal user information had been accessed by an unauthorized party. Names, home addresses, email addresses, phone numbers, and social security numbers for a total of 2,501,324 student loan account holders were exposed. The financial information of users was not disclosed.
According to a breach disclosure filing submitted to the state of Maine by Nelnet’s general counsel, Bill Munn, the breach occurred between June 1, 2022, and July 22, 2022. A letter sent to affected customers, however, dates the breach to July 21. On August 17, 2022, the breach was discovered.
“On July 21, 2022, Nelnet Servicing, LLC (Nelnet), our servicing system, and our customer website will be decommissioned.”
“Our portal provider notified us that they had discovered a vulnerability that we believe contributed to this incident,” according to Nelnet.
It’s not clear what the flaw was.
“On August 17, 2022, this investigation determined that certain student loan account registration information was accessible by an unknown party from June 2022 to July 22, 2022,” according to the letter.
Loan Recipient Targets
Although users’ most sensitive financial information was protected, the personal information obtained in the Nelnet breach “has the potential to be leveraged in future social engineering and phishing campaigns,” according to Melissa Bischoping, endpoint security research specialist at Tanium, in an email statement.
“With the recent news of student loan forgiveness, it’s reasonable to expect scammers to take advantage of the opportunity,” Bischoping said.
The Biden administration announced last week a plan to forgive $10,000 in student loan debt for low- and middle-income borrowers. She claims that the loan forgiveness program will be used to entice victims to open phishing emails.
She warns that recently compromised data will be used to impersonate affected brands in wave after wave of phishing campaigns aimed at students and recent college graduates.
“They can be particularly deceptive because they can leverage trust from existing business relationships,” she wrote.
According to the breach disclosure, Nelnet Servicing’s cybersecurity team “took immediate action to secure the information system, block the suspicious activity, fix the issue, and launch an investigation with third-party forensic experts to determine the nature and scope of the activity.”
In addition, two years of free credit monitoring, credit reports, and up to $1 million in identity theft insurance were included in the remediation.