A significant data breach at a technology services provider has exposed the personal records of approximately 2.5 million student loan borrowers. The incident affected individuals whose loans are serviced by two major organizations: Nelnet Servicing and the Oklahoma Student Loan Authority (OSLA). Both entities utilize the same third-party provider for web portal services, which was the source of the vulnerability. The exposed data includes highly sensitive personally identifiable information (PII), leading to official notifications being sent to millions of people across the country.

Timeline and Discovery of the Breach

The security event was first detected by Nelnet Servicing on July 21, 2022, after the company observed suspicious activity. A subsequent investigation, assisted by third-party forensic experts, determined that an unauthorized actor had exploited a system vulnerability. This exploitation allowed the actor to access student loan account registration data. According to a formal notification letter filed with Maine’s Attorney General, the period of unauthorized access occurred between June 1, 2022, and July 22, 2022. Upon discovery, Nelnet secured its systems and launched measures to block further malicious activity while assessing the scope of the data exposure.

Compromised Information and Company Response

The investigation confirmed that the compromised information included borrowers’ full names, physical addresses, email addresses, phone numbers, and Social Security numbers. The total number of individuals impacted by the breach was officially reported as 2,501,324. In response, Nelnet Servicing began mailing data breach notification letters to affected borrowers on August 26, 2022. As a protective measure, the company is offering all affected individuals a complimentary 24-month membership for identity theft protection services through Experian. Nelnet also confirmed that it notified the U.S. Department of Education and law enforcement agencies about the security incident.