More than 2.5 million student loan borrowers just had their names, addresses, email addresses, phone numbers, and Social Security numbers exposed in a data breach that went undetected for weeks. The target: Nelnet Servicing, the backend provider handling loan accounts for EdFinancial and the Oklahoma Student Loan Authority.
What Happened
Between June 1 and July 22, 2022, an unauthorized party accessed the personal data of 2,501,324 student loan account holders through a vulnerability in Nelnet’s systems. Nelnet didn’t discover the breach until August 17 — nearly two months after it started. The company says its cybersecurity team moved quickly once they found it, securing systems and bringing in third-party forensic experts to scope the damage.
The exposed data is the identity theft trifecta: names, home addresses, email addresses, phone numbers, and Social Security numbers. Financial account details weren’t touched, but honestly, the personal information alone is more than enough to open fraudulent accounts, file fake tax returns, or launch targeted phishing campaigns.
Why This Is Worse Than It Looks
First, the timeline. A six-to-eight-week window of unauthorized access means the attacker had plenty of time to exfiltrate data quietly. Second, the victims are a captive audience — these are people with student loans who can’t just switch providers. They’re stuck trusting that Nelnet and its partners will protect their data, and that trust just took a serious hit.
Third, this isn’t an isolated incident. Student loan servicers handle some of the most sensitive personal data in the country, yet they’re often running on legacy infrastructure that wasn’t designed with modern threat models in mind. A single vulnerability in a shared servicing platform like Nelnet’s cascades across multiple lenders and hundreds of thousands of borrowers.
What Affected People Should Do
If you have student loans serviced through EdFinancial or OSLA, assume your data was in that breach. Place a fraud alert on your credit reports with all three bureaus. Consider a credit freeze — it’s free and the most effective way to prevent new account fraud. Watch for phishing emails and calls referencing your loan details; attackers will absolutely use this data for social engineering.
Monitor your credit reports closely for the next 12-24 months. The data from this breach will circulate on dark web marketplaces for years.
What’s Next
Nelnet is offering the usual breach response — notifications, credit monitoring, the standard playbook. But the real question is whether regulators will push for stricter security requirements for student loan servicers. With 2.5 million SSNs in the wild, the pressure is building.
