December 7, 2022 By Jonathan Reed 2 min read

Over 2.5 million student loan accounts were breached in the summer of 2022, according to a recent Maine Attorney General data breach notification. The target of the breach was Nelnet Servicing, a servicing system and web portal provider for the Oklahoma Student Loan Authority (OSLA) and EdFinancial.

An investigation determined that intruders accessed student loan account registration information between June and July 2022. The stolen data includes names, addresses, emails, phone numbers and social security numbers for 2,501,324 student loan account holders. According to Nelnet, the breach did not expose users’ financial information. At this time, it’s unclear exactly how the breach occurred or who was behind the attack.

News of the breach states that the OSLA security team blocked suspicious activity and launched an investigation with forensic experts. The lender has also notified law enforcement agencies. Some are concerned about the future implications of this incident for student loanees.

Potential future threat to student loan holders

In August 2022, President Biden announced a massive student loan relief plan. This plan impacts millions of borrowers. While the program itself remains stalled in appeals court, the information stolen in the OSLA / Nelnet breach could still take advantage of the loan forgiveness plan. For example, actors could use the stolen emails to contact unsuspecting loan holders. Through social engineering or phishing scams, borrowers could be duped by nefarious actors. The schemes could also be used to access bank accounts or other sensitive data.

Was it a credential hack?

While the exact details of the OSLA breach are still unclear, the breach did involve the Nelnet web portal. This suggests that stolen credentials may have provided access. This continues to be one of the most common ways intruders breach systems. Given that so much work occurs remotely and in the cloud, securing networks is more challenging than ever.

The reality is that these types of attacks are all too common. According to one report, 83% of surveyed organizations have had more than one data breach. Also, 45% of the incidents studied were cloud-based. Meanwhile, the average total cost of a data breach has reached $4.35 million.

Security against data breaches

Today’s realities, such as cloud and remote work, have driven the development of new access security solutions. One example is single sign-on which provides centralized access control, strong authentication and user self-service. Additional security layers, such as multifactor authentication or passwordless access, can also be applied to data and applications.

Another powerful security tool is adaptive access, which continuously evaluates user risk for higher accuracy. This method uses machine learning and AI to analyze key parameters, such as user, device, activity, environment and behavior. This is how adaptive access leverages context to determine holistic risk scores. The analysis drives more accurate, contextual authentication decisions to strengthen security.

The OSLA / Nelnet breach was not an isolated event. These incidents are all too common. Organizations should take measures to provide themselves and their customers with adequate protection.

More from Data Protection

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today