More than 2.5 million student loan borrowers had their personal data — including Social Security numbers — exposed in a breach targeting Nelnet Servicing, a backend provider for major student loan servicers EdFinancial and the Oklahoma Student Loan Authority.
What Was Exposed
The compromised data included names, home addresses, email addresses, phone numbers, and Social Security numbers. That’s essentially everything an identity thief would need. Financial account data was not exposed, which is small comfort given the sensitivity of the information that was.
The breach occurred between June 1 and July 22, 2022, though it wasn’t discovered until August 17 of that year — a gap of weeks to months depending on when the initial intrusion happened. Nelnet told affected organizations it had “identified a vulnerability” but didn’t provide detailed technical specifics in its customer notification letters.
Why Student Loan Data Is Especially Valuable
Student loan data sits in a sweet spot for attackers: it contains verified identity information (SSNs, addresses) tied to people who are often young, digitally native, and less likely to actively monitor their credit. Borrowers might not notice fraudulent activity for months or years. And unlike a credit card number, you can’t cancel a Social Security number.
The scale — 2.5 million records — also makes this attractive for bulk fraud operations. That dataset could fuel targeted phishing campaigns against student loan borrowers for years to come.
What Affected Borrowers Should Do
If you held a student loan serviced through EdFinancial or OSLA, assume your data was in this breach. Place a fraud alert or credit freeze with all three major bureaus (Experian, Equifax, TransUnion). Monitor your credit reports through annualcreditreport.com. And be wary of phishing emails or calls claiming to be from your loan servicer — if criminals have your SSN and loan details, those attacks will be highly convincing.
The Takeaway
Nelnet Servicing processes data for millions of borrowers, and a single vulnerability in their systems cascaded into one of the larger education-sector breaches in recent years. It’s a reminder that when it comes to your personal data, you’re only as secure as the weakest link in the chain — and you often don’t get to choose which companies handle your information.
