Data for over 2.5 million individuals with student loans from Oklahoma Student Loan Authority (OSLA) and EdFinancial was exposed after hackers breached the systems of technology services provider Nelnet Servicing.
Technology services from Nelnet Servicing, including a web portal, are used by OSLA and EdFinancial to give online access students taking out a loan access to their loan accounts.
Sometime in June, unidentified intruders compromised Nelnet Servicing and stayed on its systems until July 22. The hackers compromised the company’s network likely after exploiting a vulnerability.
About 2,501,324 individuals have been impacted by the breach.
A sample notification letter to impacted parties sent to the Office of the Maine Attorney General as part of the data breach disclosure process, Nelnet Servicing has informed OSLA and EdFinancial, who are notifying their customers.
Although Nelnet states it blocked the cyberattack as soon as the breach was detected, a subsequent investigation that was completed on August 17, 2022, determined that certain student loan account registration information might have been accessed.
The exposed information includes the following:
- Full name
- Physical address
- Email address
- Phone number
- Social Security Number
The letters clarify that no financial account numbers or any form of payment information were exposed due to the security incident.
EdFinancial also underlines that not all its clients are hosted by Nelnet Servicing, so not all students that took a loan through them are impacted by the data breach.
Threat actors with access to the aforementioned information may engage in phishing attacks, social engineering, impersonation, and various scamming schemes. As the topic of loans is particularly sensitive, the risk of exposure is amplified.
Due to the seriousness of this data breach incident, law firm “Markovits, Stock & DeMarco” yesterday launched an investigation on the potential of a class action lawsuit.
Both EdFinancial and OSLA offer impacted individuals free access to a 24-month identity theft protection service through Experian, with instructions on how to enroll enclosed in the letters.
“We encourage you to remain vigilant against incidents of identity theft and fraud over the next 24 months, by reviewing your account statements and monitoring your free credit reports for suspicious activity and to detect errors,” reads to notice sent to affected borrowers.
It is recommended that recipients of the notices take immediate action to protect themselves from fraud by enrolling in Experian’s IdentityWorks service and remaining vigilant against all incoming communication.
Monitoring bank account statements and requesting a credit report is also advisable. Finally, placing a credit freeze should be considered for high-risk cases. Instructions on how to do that are included in the distributed notices.
Source: www.bleepingcomputer.com