The Oklahoma Student Loan Authority (OSLA) and EdFinancial recently announced that over 2.5 million loanees were the victims of a severe data breach that has compromised their personal information. The target of the attack was a Lincoln, Nebraska-based web portal and servicing system provider called Nelnet Servicing, which is used by both OSLA and EdFinancial.
Affected loan recipients received notification of the breach via a letter on July 21, 2022. The disclosure indicated that Nelnet’s security team immediately acted to secure their systems, block the suspicious activity, fix the problem, and launch a forensic investigation with third-party experts to learn the origin and scope of the breach.
By August 17, it was determined that the unauthorized party had successfully accessed users’ personal information, including names, home, email addresses, phone numbers, and Social Security numbers, for a total of 2,501,324 student loan account holders. The information remained accessible to the bad digital actor from June 2022 until July 22, 2022. Sensitive financial details were not compromised.
While it is fortunate that the criminals obtained no financial information, this breach is still likely to have serious consequences for the millions of people affected by it. For instance, victims will be much more vulnerable to future social engineering and phishing attacks perpetrated by these hackers and by anyone to whom they sell the data they have stolen.
With recent attention being hyper-focused on loan forgiveness and its complications, scammers will likely take advantage of this opening to initiate more crimes against individuals, many of whom are already living on the financial razor’s edge. For instance, people who have recently heard of President Biden’s loan forgiveness program may be lured into opening phishing emails that falsely claim to be from the government, thus exposing loanees to further financial loss and emotional upset.
As part of its pledge to remediate the causes and consequences of the data breach, Nelnet is also taking steps to assist those who were directly affected. Anyone who received the breach notification is eligible to receive two years of free credit monitoring and credit reports and up to $1 million in identity theft insurance.
