Source: Student Loan Breach Exposes 2.5M Records | Threatpost
EdFinancial and the Oklahoma Student Loan Authority (OSLA) are notifying over 2.5 million loanees that their personal data was exposed in a data breach.
The target of the breach was Nelnet Servicing, the Lincoln, Neb.-based servicing system and web portal provider for OSLA and EdFinancial, according to a breach disclosure letter.
Nelnet revealed the breach to affected loan recipients on July 21, 2022 via a letter.
“[Our] cybersecurity team took immediate action to secure the information system, block the suspicious activity, fix the issue, and launched[sic] an investigation with third-party forensic experts to determine the nature and scope of the activity,” according to the letter.
By August 17th, the investigation determined that personal user information was accessed by an unauthorized party. That exposed information included names, home addresses, email addresses, phone numbers and social security numbers for a total of 2,501,324 student loan account holders. Users’ financial information was not exposed.
According to a breach disclosure filing submitted by Nelnet’s general counsel, Bill Munn, to the state of Maine the breach occurred sometime between June 1, 2022 and July 22, 2022. However, a letter to affected customers pinpoints the breach to July 21. The breach was discovered on August 17, 2022.
“On July 21, 2022, Nelnet Servicing, LLC (Nelnet), our servicing system and customer website
portal provider, notified us that they had discovered a vulnerability that we believe led to this incident,” according to the Nelnet.
It’s unclear what the vulnerability was.
“On August 17, 2022, this investigation determined that certain student loan account registration information was accessible by an unknown party beginning in June 2022 and ending on July 22, 2022,” according to the letter.