Cyber Incident Victim: Oklahoma Student Loan Authority
Date:
Jun 2022
Location:
United States of America
Summary
A cybersecurity breach at technology services provider Nelnet Servicing compromised the personal data of approximately 2.5 million student loan borrowers associated with the Oklahoma Student Loan Authority (OSLA) and EdFinancial. Unauthorized actors exploited a vulnerability to access Nelnet's systems, potentially obtaining sensitive information including names, addresses, email addresses, phone numbers, and Social Security Numbers, though no financial account or payment details were exposed. The incident prompted notifications to affected individuals and the offering of complimentary identity theft protection services for two years. While the breach impacted a significant portion of borrowers serviced through Nelnet's platform, not all EdFinancial clients were affected due to partial hosting arrangements. The incident triggered investigations into potential legal actions regarding data protection failures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In June 2022, unidentified attackers breached the systems of Nelnet Servicing, a technology services provider supporting student loan management for the Oklahoma Student Loan Authority (OSLA) and EdFinancial. The intrusion persisted until July 22, 2022, when Nelnet detected and blocked the unauthorized access. Investigators later determined the attackers likely exploited a vulnerability to compromise Nelnet's network, though the specific technical vector remained undisclosed. The breach impacted 2,501,324 individuals who had student loans administered through OSLA or EdFinancial via Nelnet's web portal platform. Nelnet completed its forensic investigation on August 17, 2022, confirming that student loan account registration information had potentially been accessed during the two-month compromise window. OSLA and EdFinancial, notified by Nelnet of the incident, subsequently initiated customer notifications through mailed letters submitted to regulatory authorities like the Maine Attorney General's Office as part of breach disclosure protocols.
The exposed data included full names, physical addresses, email addresses, phone numbers, and Social Security Numbers, but Nelnet confirmed no financial account numbers or payment information was compromised. EdFinancial clarified that only borrowers hosted on Nelnet's platform were affected, excluding a portion of their client base. The sensitive nature of loan-related personal information heightened risks of phishing, social engineering, and impersonation attacks targeting victims. In response, OSLA and EdFinancial arranged 24 months of complimentary Experian identity theft protection services for impacted individuals, with enrollment instructions included in notification letters. The Markovits, Stock & DeMarco law firm announced an investigation into potential class action litigation following the breach disclosure, citing the severity of exposed personally identifiable information. No operational disruptions to student loan servicing platforms were reported beyond the data exposure.