“Dear Student, your student loan service for Federal Student Aid (FSA), is writing to make you aware of an incident that may affect the security of some of your information. While we are not aware of any actual or attempted misuse of your information…” Recently, letters like this were sent to over 2.5 million individuals in the United States. The “incident’ was a breach on the databases of Nelnet Servicing, the federal student loan servicer working on behalf of the U.S. Department of Education.
The “information” that was breached is the personal information of over 2.5 million student loan borrowers including full name, physical address, email address, phone number and SOCIAL SECURITY NUMBER. That is all the legitimate information that a fraudster needs to obtain licenses, credit cards, loans not just limited to student loans and the opportunity to benefit from the newly announced student loan forgiveness program. Congratulations students! Not only are you do you owe to a corrupt student loan system authorized by the government, but someone has stolen your identity!
According to the notification letter dated August 26, 2022, Nelnet informed parties that on or about July 21 it had discovered a “vulnerability” in its data bases. Upon discovery, Nelnet’s cybersecurity team took action to secure its servers, block suspicious activity and fix the issue.
But what Nelnet didn’t appear to do is notice when the breach occurred. Investigations determined that student loan account details were accessible by an unknown party beginning sometime in June 2022 and ending July 22, 2022. These fraudsters had some where between three to seven weeks gather ID’s!
There are no kudos for this Fraud of the Day, only lessons learned. This incident shows that blocking the attack as soon as it is detected is not enough. Companies need to protect with identity verification solutions while managing fraud risk before a breach such as this occurs.
It is great that ID Protection has been offered to the victims for two years. The only problem is that the 2.5 million identities are vulnerable now for the lifetime of each individual victim. Thanks Nelnet.
Todays Fraud of the Day is based on an article “Nelnet Servicing breach exposes data of 2.5M student loan accounts” published by Bleeping Computer on August 29, 2022
Data for over 2.5 million individuals with student loans from Oklahoma Student Loan Authority (OSLA) and EdFinancial was exposed after hackers breached the systems of technology services provider Nelnet Servicing.
Technology services from Nelnet Servicing, including a web portal, are used by OSLA and EdFinancial to give online access students taking out a loan access to their loan accounts.