In a breach that could lead to further problems, 2.5 million people were affected. Over 2.5 million loanees have been notified by EdFinancial and the Oklahoma Student Loan Authority (OSLA) that their personal information was compromised in a loan data breach.
According to a breach disclosure letter, the target of the breach was Nelnet Servicing, a Lincoln, Nebraska-based servicing system and web portal provider for OSLA and EdFinancial.
Nelnet notified they affected loan recipients of the breach via letter on July 21, 2022.
According to the letter, “[our], cybersecurity team took immediate action to secure the information system, block the suspicious activity, resolve the issue, and launch[sic] an investigation with third-party forensic experts to determine the nature and scope of the activity.”
By the 17th of August, the investigation had determined that an unauthorized party had accessed personal user information. Names, home addresses, email addresses, phone numbers, and social security numbers for a total of 2,501,324 student data were exposed. No financial information of users got disclosed.
According to a filing submitted to the state of Maine by Nelnet’s general counsel, Bill Munn, the breach happened from June to July 22, 2022. A letter sent to affected customers, however, dates the breach to July 21. On August 17, 2022, the breach was discovered.
“On July 21, 2022, Nelnet Servicing, LLC (Nelnet), our servicing system, and our customer website will be decommissioned.”
According to Nelnet, “our portal provider notified that they had discovered a vulnerability that we believe contributed to this incident.”
It’s not clear what the flaw was.
According to the letter, “on August 17, 2022, this investigation determined that certain student loan account registration information was accessed by an unknown party during June 2022 and July 22, 2022.”
Loan Recipient Targets
Although users’ most sensitive financial information was protected, the personal information obtained in the Nelnet breach” has the potential to cause future social engineering and phishing campaigns. According to Melissa Bischoping, endpoint security research specialist at Tanium, in an email statement.
“With the recent news of student loan forgiveness, it’s reasonable that scammers to take advantage of the opportunity,” Bischoping said.
The Biden administration announced last week a plan to forgive $10,000 in student loan debt for low- and middle-income borrowers. “The loan forgiveness programme will be used to entice victims to open phishing emails,” she said.
Recently compromised data can impersonate affected brands in wave after wave of phishing campaigns aimed at students and college graduates.
“They can be particularly deceptive because they can leverage trust from existing business relationships,” she wrote.
According to the breach disclosure, Nelnet Servicing’s cybersecurity team “took immediate action to secure the information system, block the suspicious activity, fix the issue, and launch an investigation with third-party forensic experts to determine the nature and scope of the activity.”
In remediation, two years of free credit monitoring, credit reports, and up to $1 million in identity theft insurance.