Millions of student loan accounts from the Oklahoma Student Loan Authority were exposed after a group of threat actors conducted a data breach attack against Nelnet Servicing. The technology services from Nelnet Servicing include a web portal the Oklahoma Student Loan Authority uses to provide online access to students taking out loan access to their accounts.
Based on reports, some unidentified attackers compromised the Nelnet servicing a couple of months ago and remained in the systems for over a month. The adversaries have compromised the firm’s network after exploiting an unknown vulnerability.
According to the researchers, approximately 2.5 million individuals are affected by the security breach.
As of now, a sample notification letter to affected users was sent to the Office of the Maine Attorney general as part of the breach disclosure process. The technology provider has also informed the Oklahoma Student Loan Authority, notifying its customers.
Nelnet Servicing’s immediate actions were insufficient to prevent other student loan data from leaking.
Despite Nelnet Servicing’s effort to block the cyberattack as soon as they identified the breach, a separate investigation revealed that the threat actors might have compromised certain loan account registration information.
The researchers believed that the compromised information included full names, addresses, email addresses, mobile phone numbers, and Social Security numbers. However, the sample letter clarified that the hackers exposed no financial account numbers or payment information during the data breach.
OSLA’s partner also explained that not all its clients are hosted on Nelnet servicing. Hence, the attack does not impact students who took a loan through them.
As mentioned earlier, threat actors with access to the information may engage in phishing attacks, social engineering, impersonation, and various scamming schemes. As the topic of loans is susceptible, the risk of exposure is amplified.
Fortunately, OSLA and its partner offered impacted individuals free access to a two-year identity theft protection service, with instructions on how to enroll.
Experts recommend that recipients of data breach notices should take action to guard themselves against fraud and identity theft. Affected individuals are also requested to remain vigilant against all incoming communications since most incoming messages might be hostile.
