More than 2.5 million student loan borrowers were affected by a data breach that Nelnet revealed on July 21. Although the company took immediate action, the stolen data was irretrievably shared with unauthorized parties.
Nelnet Servicing, a company based in Lincoln, Nebraska, is responsible for maintaining the websites of two large student loan servicers: EdFinancial and Oklahoma Student Loan Authority (OSLA). According to the letter sent by the company, it was breached and became aware of it on July 21.
An investigation launched by Nelnet found that the breach occurred sometime between the beginning of June and July 22. The data accessed by unauthorized parties included borrowers’ personal information, such as:
- names
- email addresses
- home addresses
- phone numbers
- Social Security numbers
Fortunately, not all EdFinancial and OSLA’s clients were influenced, as Nelnet is not their only service provider. Nevertheless, more than 2.5 million student loan recipients lost their data.
Steps taken
Affected institutions informed their clients of the breach, advising them to remain vigilant against possible incidents of identity theft. They have also been offered free access to credit monitoring and identity theft protection for 24 months via Experian, Equifax, and TransUnion.
According to Nelnet, the most sensitive financial data has not been breached. However, the personal data of victims can be used for identity theft and phishing campaigns.
What does a data breach mean for the victims?
As mentioned above, hackers could use the data stolen from EdFinancial and OSLA clients in various social engineering or data theft attempts. Phishing campaigns could likely take advantage of the current political climate in the US.
President Biden recently announced a student loan relief program, promising to cancel up to $20,000 of student debt for qualifying borrowers. It means that those affected by the data breach could encounter numerous phishing scams claiming to be related to loan forgiveness. Their personal information would make the messages believable, which is why this scenario could be effective for criminals.
Nelnet, which provided its customers with information about credit monitoring and identity protection in a letter, also offers safety tips on its website. The page includes authorities to notify in case of a scamming incident.
How to spot a scam message?
Since many people have lost their data to hackers, it is helpful to know how to spot a scam attempt to avoid it. Phishing emails, phone calls, and text messages often share the same characteristics:
- They take advantage of current events. As mentioned, cybercriminals can use the current political situation to extort money from their victims, making them believe they are contacting real financial organizations.
- They create a sense of urgency. Phishing messages rely on emotions. They are structured to create fear of missing out or dealing with consequences. Victims may do whatever the scammer wants because they feel urged to do it (e.g., they are promised profits if they act quickly).
- They claim to be officials. Phishing criminals pretend to be authorities to gain the trust of their victims. Therefore, they could pledge to represent banks, financial organizations, or government departments.
How can you protect your data?
The Nelnet data breach is neither the first nor the last. Cybercrime is on the rise – the last few years have been particularly fruitful for hackers and scammers.
Individuals and companies alike have been forced to go online due to the coronavirus pandemic and lockdowns – and not everyone was prepared for it. It created great opportunities for hackers to discover new vulnerabilities.
Today, companies are more aware of the threats, but does it mean you are safe?
The Nelnet situation proves that your online security is sometimes not entirely up to you. If a large service provider is breached, its customers are harmed, and there is nothing they can do. However, such scenarios are quite rare. Many security incidents occur because individual Internet users fail to take precautions.
So, what can you do to improve your online security?
- Invest in security tools. Services such as firewalls or VPNs are great for creating extra layers of online security. Some come bundled with other unique and handy features, such as the meshnet for work option that allows you to connect devices in a secure and protected way. It is great for remote workers and others who want secure access to their devices.
- Use strong and unique passwords. Imagine that a service you trust gets attacked and your personal information – including email and password – is leaked. Hackers will not hesitate to use them on other websites. That’s why you should make your passwords unique and strong.
- Beware of social engineering scams. Keep your eyes open for potential phishing attempts. Always double-check your email senders and look for red flags such as misspelled words.
