On August 31, 2022, Threatpost reported that a data breach at Nelnet Servicing had exposed the personal information of over 2.5 million people. These users included customers of OSLA and EdFinancial. The breach was discovered on July 21, 2022, with an investigation confirming access to user details such as names, home addresses, email addresses, phone numbers, and social security numbers.
Upon discovery of the vulnerability, Nelnet Servicing immediately secured the information system, blocked suspicious activity, fixed the issue, and initiated a forensic investigation. By August 17, 2022, it was determined that an unauthorized party had accessed this sensitive data between June 1 and July 22, 2022. Affected users were notified via letters from Nelnet Servicing.
Melissa Bischoping, an endpoint security research specialist at Tanium, highlighted the potential for this breach to be used in future phishing campaigns, especially given recent news on student loan forgiveness programs. The compromised data could be leveraged by scammers to impersonate legitimate businesses and trick victims into opening malicious emails or clicking fraudulent links.
As a result of the incident, Nelnet Servicing offered two years of free credit monitoring and up to $1 million in identity theft insurance to impacted users.