UPDATED 19:49 EST / AUGUST 30 2022

SECURITY

Data breach at Nelnet exposes 2.5 million student loan records

Listed student loans and financial services provider Nelnet Inc. has suffered a data breach, exposing some 2.5 million records belonging to the Oklahoma Student Loan Authority and EdFinancial Services LLC.

According to an Aug. 26 sample notification letter, Nelnet Serving, a division of Nelnet that provides services to third parties, informed OSLA and EdFinancial on or about July 21 that it had discovered a vulnerability that lead to what it called a “data event.” The company tasked its cybersecurity team to take action to secure its servers, block suspicious activity and fix the issue. Nelnet also hired third-party forensic experts to determine the nature and scope of the breach.

On Aug. 17, the investigation determined that some student loan account details were “accessible by an unknown party beginning in June 2022 and ending July 22.” Data potentially stolen included names, addresses, email addresses, phone numbers and Social Security numbers. The U.S. Department of Education and law enforcement were subsequently notified of the breach.

What is missing from the disclosure is the form of the attack and exactly how much data was exposed or stolen. OSLA and EdFinancial have subsequently informed affected individuals who may have been affected and have offered free identity theft protection services.

“The exposed data contains details crucial for future impersonation or identity theft,” Gil Dabah, co-founder and chief executive officer of data privacy vault provider Piiano Privacy Solutions Inc., told SiliconANGLE. “Companies dealing with sensitive personal information, especially SSNs, must protect such personally identifiable information differently.”

Aaron Sandeen, co-founder and CEO of managed security services company Cyber Security Works Inc., noted that security teams need to be smarter and act proactively before a breach such as this occurs. “As this incident shows, simply blocking the attack as soon as it is detected is not enough anymore,” Sandeen explained. “Crucial data such as names, addresses, and social security numbers have already been exposed.”

David Maynor, senior director of threat intelligence at cybersecurity training firm Cybrary Inc., pointed out that “while we don’t have any more information on the breach that has been publicly disclosed we did find that several class action lawsuits are already being prepared despite the notices of the attack going out on Aug. 26.” Maynor highlighted an investigation into a possible class action lawsuit by Cincinnati law firm Markovits, Stock & DeMarco LLC.

“This is an indicator that breached companies will continue to face more litigious actions after a data breach, which can often be attributed to a lack of cybersecurity skills and/or awareness within their security team,” Maynor added. “Investing in ongoing skill development and training is critical to mitigating threats that could have serious financial and legal ramifications.”

Image: Nelnet

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU