Personal Information of Over 2.5 Million Borrowers Exposed in Nelnet Data Breach

By Maria Carrasco, NASFAA Staff Reporter

Over 2.5 million borrowers who have taken out student loans with either the Oklahoma Student Loan Authority (OSLA) or Edfinancial had their personal information exposed in a data breach this summer.

Nelnet Servicing, a Nebraska-based technology services firm that both OSLA and Edfinancial utilize for their web portals, had its data breached. According to a letter sent by Nelnet Servicing, the company became aware of a data vulnerability on July 21. Nelnet Servicing took action and blocked the suspicious activity, fixed the vulnerability, and launched an investigation into the breach with a third party. 

About a month later, on August 17, the investigation concluded that certain student loan account registration information was accessible by an unknown party beginning in June and ending on July 22. Information exposed in the data breach includes over 2.5 million borrowers’ names, addresses, email addresses, phone numbers, and Social Security numbers, according to a letter to impacted borrowers from OSLA and Edfinancial. The breach did not compromise borrowers’ financial information, however. 

“The confidentiality, privacy, and security of our customers’ information is one of our highest priorities,” the letter reads. “We are notifying potentially impacted individuals, including you, so that we can provide you with services and resources to best protect yourself from any potential consequences should you feel it is appropriate to do so.”

OSLA and Edfinancial sent impacted borrowers a list of steps they can take to protect their personal information and offered free access to Experian's identity protection and credit reporting service IdentityWorksSM for two years. 

“We encourage you to remain vigilant against incidents of identity theft and fraud over the next 24 months, by reviewing your account statements and monitoring your free credit reports for suspicious activity and to detect errors,” the letter reads. “Please also review the information contained in the enclosed ‘Steps You Can Take to Help Protect Your Personal Information.’”


Publication Date: 9/2/2022

Gaeble J | 9/2/2022 3:28:38 PM

I agree completely with Darren. I think they speak to how a lot of us feel with their comment. "Disillusioned and disconnected". Where IS the consequence for this? Because it feels like it is all on the people trusting Nelnet, OSLA, and EdFinancial! This should not be brushed over, or under the rug so quickly. What's being done by these companies to bring justice to this situation? They are losing secure information and then telling people how to secure their information better, when that is literally their job. "Protect yourself from any potential consequences should you feel it is appropriate to do so". Absolutely unnerving. How dare they.

Kathleen R | 9/2/2022 12:36:45 PM

It's really rich that they added this part at the end of their letter: Please also review the information contained in the enclosed ‘Steps You Can Take to Help Protect Your Personal Information.’” Sounds like they need to take their own advice.

Peter G | 9/2/2022 11:9:18 AM

Looking for clarifiication - does the phrase "who have taken out student loans" mean this only applies to borrowers where either of those entities is the lender?

EdFinancial is also a contracting DL servicer, so borrowers may have had DL loans assigned to them without technically having taken out a loan through them.

So is this anyone Edfinancial services, or only cases where they are the lender?

Larry B | 9/2/2022 10:4:25 AM

Can Nelnet be sued for this? Probably not until their clients suffer from identity theft. I would love to see a big class action suit.

Darren C | 9/2/2022 9:15:29 AM

Interesting. So again we see a company tells you that your information is "safe and secure" and then it fails to keep that information safe and secure. Their answer is that YOU can take steps to fix or minimize the damage you may incur. They're saying, trust us once, your information may have been stolen now trust us again. Where's the accountability, where is the consequence for these clear failures? This is why people become so disillusioned and disconnected from their decisions as they go through life. A system we're promised won't fail us fails, then....nothing happens and we keep moving forward in the same direction.

You must be logged in to comment on this page.

Comments Disclaimer: NASFAA welcomes and encourages readers to comment and engage in respectful conversation about the content posted here. We value thoughtful, polite, and concise comments that reflect a variety of views. Comments are not moderated by NASFAA but are reviewed periodically by staff. Users should not expect real-time responses from NASFAA. To learn more, please view NASFAA’s complete Comments Policy.

Related Content

Today's News for July 22, 2024


Federal Appeals Court Fully Blocks SAVE Repayment Plan


View Desktop Version