Data breach at Nelnet exposes 2.5 million student loan records
Publicly listed student loan and financial services provider Nelnet inc. suffered a data breach, exposing some 2.5 million records belonging to the Oklahoma Student Loan Authority and Ed Financial Services LLC.
According A sample notification letter from August 26, Nelnet Serving, a division of Nelnet that provides services to third parties, notified OSLA and EdFinancial on or about July 21 that it had discovered a vulnerability that led to the she called a “data event”. The company instructed its cybersecurity team to take steps to secure its servers, block suspicious activity, and resolve the issue. Nelnet has also engaged third party forensic experts to determine the nature and extent of the breach.
On August 17, the investigation determined that certain student loan account details were “accessible by an unknown party beginning in June 2022 and ending on July 22.” Potentially stolen data included names, addresses, email addresses, phone numbers and social security numbers. The US Department of Education and law enforcement were later notified of the violation.
What is missing in the disclosure is the form of the attack and the exact amount of data that was exposed or stolen. OSLA and EdFinancial subsequently notified affected individuals who may have been affected and offered free identity theft protection services.
“The exposed data contains crucial details for future impersonation or identity theft,” Gil Dabah, co-founder and managing director of the data privacy vault provider Piano Privacy Solutions Inc., told SiliconANGLE. “Companies handling sensitive personal information, particularly SSNs, must protect that personally identifiable information differently.”
Aaron Sandeen, co-founder and CEO of a managed security services company Cyber Security Works Inc., noted that security teams need to be smarter and act proactively before a breach like this happens. “As this incident shows, it is no longer enough to block the attack as soon as it is detected,” Sandeen explained. “Critical data such as names, addresses and social security numbers have already been exposed.”
David Maynor, senior director of threat intelligence at a cybersecurity training company Cybraire Inc., pointed out that “although we do not have more information about the breach which has been publicly disclosed, we have noted that several class action lawsuits are already in the works despite the attack notices published on August 26”. Maynor pointed to a possible class action investigation by the Cincinnati law firm Markovits, Stock & DeMarco LLC.
“This is an indicator that hacked companies will continue to face more contentious actions after a data breach, which can often be attributed to a lack of cybersecurity skills and/or awareness within their security team. “, added Maynor. “Investing in ongoing skills development and training is key to mitigating threats that could have serious financial and legal ramifications.”