A data breach at Nelnet may have exposed the data of about 2.5 million student loan borrowers serviced by Edfinancial Services and Oklahoma Student Loan Authority.
Nelnet said that on July 21, it notified the impacted student loan servicers using the company’s servicing system about an incident impacting the website used by borrowers. According to the Lincoln-based company, an unknown party accessed "certain student loan account registration" sometime between early June and late July.
"Our cybersecurity team discovered a vulnerability believed to have led to this incident and took immediate action to secure the systems, block the suspicious activity, and fix the issue," Nelnet said in a statement. "The Department of Education was also notified, and we launched an investigation with third-party forensic experts to determine the nature and scope of the activity."
People are also reading…
The statement said that both Nelnet and the Department of Education have contacted law enforcement and are cooperating with the investigation.
Nelnet said a forensic examination found that the impacted information included borrowers' names, addresses, email addresses, phone numbers and Social Security numbers, but not financial account numbers or payment information. There has been no known unauthorized use of the information, the statement said.
The data breach did not impact any borrowers served directly by Nelnet or its Great Lakes subsidiary, the company said.
Nelnet said affected borrowers have been offered 24 months of credit monitoring and identity theft protection services at no cost.
"Protecting the personal information customers, clients and associates entrust to Nelnet is a top priority," the company said in its statement. "Nelnet takes safeguarding data seriously and is committed to continue taking steps to keep information secure."
The company is already facing a class-action lawsuit related to the data breach.
The lawsuit, with Jesse Herrick named as lead plaintiff, was filed Tuesday in U.S. District Court in Nebraska. It seeks an unquantified amount of both actual and punitive damages.