Over 2.5 million student loan accounts were breached in the summer of 2022, according to a recent Maine Attorney General data breach notification. The target of the breach was Nelnet Servicing, a servicing system and web portal provider for the Oklahoma Student Loan Authority (OSLA) and EdFinancial.

An investigation determined that intruders accessed student loan account registration information between June and July 2022. The stolen data includes names, addresses, emails, phone numbers and social security numbers for 2,501,324 student loan account holders. According to Nelnet, the breach did not expose users’ financial information. At this time, it’s unclear exactly how the breach occurred or who was behind the attack.

News of the breach states that the OSLA security team blocked suspicious activity and launched an investigation with forensic experts. The lender has also notified law enforcement agencies. Some are concerned about the future implications of this incident for student loanees.

Potential future threat to student loan holders

In August 2022, President Biden announced a massive student loan relief plan. This plan impacts millions of borrowers. While the program itself remains stalled in appeals court, the information stolen in the OSLA / Nelnet breach could still take advantage of the loan forgiveness plan. For example, actors could use the stolen emails to contact unsuspecting loan holders. Through social engineering or phishing scams, borrowers could be duped by nefarious actors. The schemes could also be used to access bank accounts or other sensitive data.

Was it a credential hack?

While the exact details of the OSLA breach are still unclear, the breach did involve the Nelnet web portal. This suggests that stolen credentials may have provided access. This continues to be one of the most common ways intruders breach systems. Given that so much work occurs remotely and in the cloud, securing networks is more challenging than ever.

The reality is that these types of attacks are all too common. According to one report, 83% of surveyed organizations have had more than one data breach. Also, 45% of the incidents studied were cloud-based. Meanwhile, the average total cost of a data breach has reached $4.35 million.

Security against data breaches

Today’s realities, such as cloud and remote work, have driven the development of new access security solutions. One example is single sign-on which provides centralized access control, strong authentication and user self-service. Additional security layers, such as multifactor authentication or passwordless access, can also be applied to data and applications.

Another powerful security tool is adaptive access, which continuously evaluates user risk for higher accuracy. This method uses machine learning and AI to analyze key parameters, such as user, device, activity, environment and behavior. This is how adaptive access leverages context to determine holistic risk scores. The analysis drives more accurate, contextual authentication decisions to strengthen security.

The OSLA / Nelnet breach was not an isolated event. These incidents are all too common. Organizations should take measures to provide themselves and their customers with adequate protection.