Many student loan borrowers caught a huge break this week with government forgiveness of some student loan debt. But for 2.5 million student loan borrowers, the week also brought news of a breach of their contact information and Social Security numbers.
Nelnet Servicing in Nebraska provides technology services to EdFinancial and OSLA, including portals that student loan borrowers use to create and access their student loan accounts. Their notification template, a copy of which was submitted to the Maine Attorney General’s Office, indicates that Nelnet discovered a vulnerability. They do not indicate exactly when they first discovered it although it appears to have been in July. Nor do they describe the nature of the vulnerability. What they do write is the following:
On or about July 21, 2022, Nelnet Servicing notified Edfinancial and OSLA that it had discovered a vulnerability it believed led to this incident. Nelnet Servicing informed Edfinancial and OSLA that Nelnet Servicing’s cybersecurity team took immediate action to secure the information system, block the suspicious activity, fix the issue, and launched an investigation with third-party forensic experts to determine the nature and scope of the activity. On August 17, 2022, this investigation determined that certain student loan account registration information was accessible by an unknown party beginning in June 2022 and ending on July 22, 2022. Following these actions, Nelnet Servicing notified the U.S. Department of Education, which in turn notified law enforcement. The information that could have been subject to unauthorized access includes name, address, email address, phone number, and Social Security number.
The full notification appears below. Those notified are being offered 24 months of credit monitoring services.
According to Nelnet’s report to the Maine Attorney General’s Office, a total of 2,501,324 people were affected by this incident.
Nelnet Servicing - Notice of Data Event - ME - Exhibit 1