More than 2.5 million student loan borrowers just learned their names, addresses, phone numbers, emails, and Social Security numbers were accessed by an unauthorized party — in a breach that went undiscovered for over a month.
The incident targeted Nelnet Servicing, the Lincoln, Nebraska-based company that runs the servicing systems and web portals for the Oklahoma Student Loan Authority (OSLA) and EdFinancial. Both organizations are now notifying affected borrowers.
What Happened
Nelnet discovered the breach on July 21, 2022, notifying EdFinancial and OSLA that same day. But the actual exposure window stretches back to at least June 1 — meaning the vulnerability was exploitable for roughly seven weeks before anyone caught it. The investigation, which involved third-party forensic experts, confirmed on August 17 that personal data had been accessed.
The exposed data includes names, home addresses, email addresses, phone numbers, and Social Security numbers. That’s nearly everything a social engineer would need to convincingly impersonate a lender, servicer, or government agency. Financial account information was not compromised, but honestly — it doesn’t need to be.
Why the Timing Makes This Worse
This breach landed at perhaps the worst possible moment. The Biden administration had just announced plans to cancel $10,000 in student loan debt for low- and middle-income borrowers. Melissa Bischoping, endpoint security research specialist at Tanium, pointed out that scammers will almost certainly weaponize the loan forgiveness program, using the breached data to send hyper-targeted phishing emails that look like they’re from Nelnet, OSLA, EdFinancial, or the federal government.
“Because they can leverage the trust from existing business relationships, they can be particularly deceptive,” Bischoping noted. When you get an email that references your actual loan servicer, includes your real name and address, and arrives right when loan forgiveness is in the headlines, the instinct to click gets a lot stronger.
The Vulnerability Itself Is Still Unclear
Here’s what’s frustrating: neither Nelnet nor its partners have publicly disclosed what the actual vulnerability was. The disclosure letter references “a vulnerability” but provides no technical details. Given that the data exposure required access to account registration information through Nelnet’s systems, this could have been anything from an API flaw to an authentication bypass to a simple misconfiguration. Without transparency, other organizations using similar servicing platforms are left guessing about their own risk.
What Affected Borrowers Should Do
Nelnet is offering two years of free credit monitoring, credit reports, and up to $1 million in identity theft insurance — standard remediation for a breach of this scale. But borrowers shouldn’t stop there. Freeze your credit with all three bureaus if you haven’t already. Set up fraud alerts. And be extremely suspicious of any email, text, or phone call referencing your student loans, especially anything about loan forgiveness, payment deferrals, or account verification.
If someone claims to be from your loan servicer and pressures you to act immediately, that’s the tell. Legitimate organizations don’t operate that way.
What’s Next
The combination of fresh Social Security numbers for 2.5 million people and a high-profile loan forgiveness program creates a phishing environment that’ll persist for months, possibly years. Security teams at financial institutions should prepare for an uptick in loan-themed phishing campaigns. Borrowers should assume their data is in criminal hands and act accordingly. And hopefully, somebody at Nelnet will eventually explain what went wrong — because right now, the only people with answers are the ones who exploited it.
