Nelnet Announces New Data Breach that Affects Millions

Nelnet Announces New Data Breach that Affects Millions

While the news of Joe Biden canceling tens of thousands of dollars in student loan debt for American citizens dominated the nation’s multitude of media channels earlier this week, some college graduates around the country were faced with a less promising development. More specifically, it was reported on August 26, 2022, that Nelnet, a financial services company that handles both the administration and repayment of student loans, as well as other related educational financial services, sustained a data breach that impacted as many as 2.5 million student accounts. The vast majority of these accounts belonged to the Oklahoma Student Loan Authority (OSLA) and EdFinancial Services LLC respectively, as a trove of personal information was disclosed to the general public.

As stated in an article written by online technology publication Techradar, “a letter sent by Nelnet Servicing to the affected providers said that the breach did not involve the leakage of any financial data, but that the exposed information did include full names, physical addresses, email addresses, phone numbers, and social security numbers.” However, despite the fact that the breach in question did not involve the dissemination of financial information, EdFinancial Services, and OSLA have still offered their millions of customers “free 24-month access to Experian’s identity protection and credit reporting service IdentityWorksSM, which includes benefits like a free credit check.”

Higher education and cybercrime

While many people may not associate cybercrime with institutions of higher education, the reality is that these organizations are prime targets for cybercriminals that are looking to make off with the personal information of unsuspecting victims. This is due in large part to the inherent level of personal data that a private college or public university will have access to, as the tens of thousands of students that attend a particular institution of higher education will have various data elements on file concerning their personal lives at any given time. What’s more, the exorbitant costs that are associated with successfully running a college or university also mean that certain resources will have to be cut, and cybersecurity measures can often bear the brunt of this fact.

To illustrate this point further, Lincoln College, a private liberal arts university based in Illinois, was forced to shut down permanently earlier this year after it was revealed that the institution experienced a ransomware attack in December of 2021. Likewise, the college has publically stated that they struggled to continue operating following the aforementioned ransomware attack that effectively “thwarted admissions activities and hindered access to all institutional data, creating an unclear picture of Fall 2022 enrolment projections”. For context, Lincoln University was able to withstand a number of catastrophic events throughout the history of the school, including the Great Depression, World War II, and the Spanish Flu of 1918, among other events.


On top of the risks that many educational institutions within the nation faced on a daily basis as it concerns cybersecurity, the onset of the COVID-19 virus only exacerbated the problem even further, as the ensuing lockdowns and mandatory regulations forced students, professors, and administrators alike to engage in their work online. Subsequently, this created an environment that was rife for cybercrime, as most businesses and organizations around the world, in general, were not adequately prepared for an unexpected pivot toward remote learning and work. To this point, the case of Lincoln College is representative of a larger issue that institutions of higher learning have been facing for many years now.

For instance, Chester Wisniewski, principal research scientist at Sophos, a security software and hardware company, has stated that “The average cost to an organization in the private sector was $1.8 million U.S. dollars after a ransom attack,” Wisniewski said, “so it was almost a million dollars higher cost for educational institutions to recover versus a normal private sector organization.” Alternatively, Austin Berglas, global head of professional services and founding member at BlueVoyant, a cybersecurity company, was also quoted as saying “We saw an incredible increase in ransomware attacks over the past two years, 2020 and 2021, as Covid-19 pushing everybody remote really made the attack surface grow.”

As our world continues to advance further into the digital age, cyberattacks will only continue to grow in frequency, as many criminals that would have been committing physical crimes at previous points in human history have instead turned their sights to the internet. For this reason, it is imperative that institutions of higher education have the tools necessary to handle the threat of cybercrime, be it in the form of technology solutions such as a redaction software program, or through the utilization of other similar methods, including encryption, among others. To this end, all parties involved in higher education lose when a cyberattack occurs, as the disastrous outcomes of such attacks have proven to be long-lasting and far-reaching.

Related Reads