“Data for over 2.5 million individuals with student loans from Oklahoma Student Loan Authority (OSLA) and EdFinancial was exposed after hackers breached the systems of technology services provider Nelnet Servicing. Technology services from Nelnet Servicing, including a web portal, are used by OSLA and EdFinancial to give students taking out a loan online access to their loan accounts” (Bleeping Computer, 2022).
The attack took place sometime in June 2022, with the unidentified intruders compromising Nelnet’s network. While it is unclear how the attackers got initial access, it is believed that they stayed on the systems for an entire month, until July. Nelnet states that it blocked the attack as soon as the breach was detected. However, in a subsequent investigation that took place on August 17 2022 determined that certain student loan account registration might have been accessed. This information includes students’ full names, physical addresses, email addresses, phone numbers, and social security numbers.
In a sample notification letter to impacted parties, sent to the Office of the Maine Attorney General as part of the data breach disclosure process, Nelnet Servicing has informed OSLA & EdFinancial, who are notifying their customers. The letters clarify that no financial account numbers or any form of payment information were exposed due to the security incident. EdFinancial also underlines that not all its clients are hosted by Nelnet Servicing, so not all students that took a loan through them are impacted by the data breach.
Analyst comments:
Since confidential PII data was stolen, the threat actors could misuse this information for illicit purposes like carrying out phishing attacks, social engineering, or even identity theft. With access to SSNs, cybercriminals could easily sign up for new credit cards under the victim’s name. In turn, this negatively impacts the victim’s credit score as the actors are spending thousands of dollars without thinking twice to pay the bills.
“Both EdFinancial and OSLA offer impacted individuals free access to a 24-month identity theft protection service through Experian, with instructions on how to enroll enclosed in the letters” (Bleeping Computer, 2022).
Mitigation tips:
It is recommended that recipients of the notices take immediate action to protect themselves from fraud by enrolling in Experian’s IdentityWorks service and remaining vigilant against all incoming communication. Monitoring bank account statements and requesting a credit report is also advisable. Finally, placing a credit freeze should be considered for high-risk cases. Instructions on how to do that are included in the distributed notices.