More than 2.5 million student loan borrowers had their personal data exposed in a breach targeting Nelnet Servicing, the backend provider powering loan portals for EdFinancial and the Oklahoma Student Loan Authority. Names, home addresses, email addresses, phone numbers, and — most critically — Social Security numbers were all accessed by an unauthorized party.
What Happened and When
The breach window stretches from June 1, 2022, to July 22, 2022, though customer notification letters pinpoint the initial access to July 21. Nelnet didn’t confirm the scope of the breach until August 17 — nearly a month after the intrusion was first detected. That gap between discovery and disclosure is significant, and it left millions of people unaware that their most sensitive identifiers were in someone else’s hands.
The exact vulnerability that allowed the breach was never publicly disclosed. Nelnet’s cybersecurity team said they took immediate action to secure systems and block suspicious activity, bringing in third-party forensic experts to investigate. But the details remain thin. What we do know is that the attacker had access to account registration data for over 2.5 million student loan holders — and that data doesn’t expire.
Why This Breach Is Different
On the surface, it could’ve been worse — financial account numbers and payment data weren’t exposed. But don’t let that fool you. The combination of names, addresses, phone numbers, and Social Security numbers is the holy grail for identity thieves. This isn’t data you can reset like a password. Your Social Security number is yours for life.
Security researcher Melissa Bischoping from Tanium pointed out something that makes this breach especially dangerous: timing. The breach coincided with the Biden administration’s announcement of student loan forgiveness — up to $10,000 in debt cancellation for low- and middle-income borrowers. That policy created a perfect storm for scammers. Imagine getting an email that looks like it’s from your loan servicer, referencing the forgiveness program, and including enough personal details to seem legitimate. That’s not hypothetical — that’s the playbook.
Phishing campaigns using breached data from trusted business relationships are among the hardest to spot. The attacker doesn’t need to spoof an email address when they already know your name, your loan servicer, and your Social Security number.
What Affected Borrowers Should Do
Nelnet offered two years of free credit monitoring and up to $1 million in identity theft insurance. That’s a start, but two years isn’t nearly long enough when Social Security numbers are involved. Here’s what you should consider: freeze your credit with all three bureaus — it’s free, and it’s the single most effective step against identity theft. Set up fraud alerts. Monitor your credit reports regularly. And be extremely skeptical of any communication claiming to be from your loan servicer, especially if it references loan forgiveness or asks you to verify personal information.
The Long Tail of Data Breaches
This breach is a textbook example of why data breach impact doesn’t end when the headlines fade. The data stolen in mid-2022 is still out there, still valuable, and still being used. Student loan borrowers — many of them young adults building their financial lives for the first time — will be dealing with the consequences for years. If you were affected, treat this as an ongoing risk, not a resolved incident. The attackers got what they came for. The question is when they’ll use it.
