More than 2.5 million people with student loans just learned that their names, home addresses, email addresses, phone numbers, and Social Security numbers were accessed by an unauthorized party. The breach hit Nelnet Servicing, the Lincoln, Nebraska-based company that runs the servicing systems and web portals for two major student loan providers: EdFinancial and the Oklahoma Student Loan Authority (OSLA).
How It Happened
According to breach disclosure letters sent to affected borrowers, the incident involved a vulnerability in Nelnet’s systems that allowed unauthorized access to personal account registration information. The window of exposure stretched from June 1, 2022, to July 22, 2022, though Nelnet pinpointed the breach date to July 21 in its customer notification. The company didn’t confirm the breach until August 17 — nearly a month after discovery.
Nelnet says its cybersecurity team “took immediate action to secure the information system, block the suspicious activity, fix the issue, and launched an investigation with third-party forensic experts.” The company hasn’t disclosed the specific nature of the vulnerability that was exploited, which is frustrating but not unusual at this stage.
Financial account information was not exposed. That’s the good news. The bad news is that everything else — names, addresses, emails, phone numbers, and SSNs — is more than enough to cause serious harm.
Why This Data Is Dangerous
Melissa Bischoping, endpoint security research specialist at Tanium, warned that the exposed data “has potential to be leveraged in future social engineering and phishing campaigns.” She’s right, and the timing makes it worse. The Biden administration recently announced plans to cancel $10,000 in student loan debt for low- and middle-income borrowers — a program that scammers are practically guaranteed to weaponize.
Imagine getting an email that looks like it’s from EdFinancial or OSLA, referencing the loan forgiveness program, asking you to “verify your information” to receive your relief. Now imagine the scammers already have your name, address, phone number, and SSN from this breach. That’s not hypothetical — it’s the inevitable next step.
“Because they can leverage the trust from existing business relationships, they can be particularly deceptive,” Bischoping noted. These won’t be clumsy Nigerian prince emails. They’ll look legitimate, reference real programs, and target people who are already anxious about their student debt.
What Affected Borrowers Should Do Right Now
Nelnet is offering two years of free credit monitoring, credit reports, and up to $1 million in identity theft insurance. If you’re among the 2.5 million affected, enroll in that immediately. Beyond that:
• Freeze your credit with all three bureaus (Equifax, Experian, TransUnion). It’s free, it’s fast, and it prevents anyone from opening new accounts in your name.
• Watch for phishing — especially emails or calls referencing student loan forgiveness, Nelnet, EdFinancial, or OSLA. Don’t click links. Don’t provide information. Go directly to the official website.
• Monitor your credit reports closely for the next 12-24 months. Look for accounts you didn’t open or inquiries you didn’t authorize.
The Bigger Picture
This breach is a reminder that the companies handling your most sensitive personal data aren’t always equipped to protect it. Nelnet processes loan servicing for millions of borrowers, yet a single vulnerability exposed the personal information of 2.5 million people for over a month before anyone noticed. The student loan ecosystem relies on a patchwork of servicers, guarantors, and third-party providers — each one a potential weak link. Until that infrastructure gets hardened, borrowers are left hoping the next breach isn’t worse.
