I. Targeted Entities

  • Edfinancial and Oklahoma Student Loan Authority loanees

II. Introduction

Oklahoma Student Loan Authority (OSLA) and EdFinancial are notifying over 2.5 million people that their personal data was leaked in a data breach that could lead to more trouble.

III. Background Information

Nelnet Servicing, a Lincoln, Nebraska-based servicing system and web portal provider for the two loan providers, was the target of the breach. Nelnet made the breach known to affected loan recipients on July 21st via letter.[1]

By August 17th, the investigation found that the personal user information, including the names, home addresses, email addresses, phone numbers, and social security numbers, of 2,501,324 student loan account holders had been accessed by an unauthorized party. However, the users’ financial information was not leaked.[2] In the breach disclosure filing submitted to the state of Maine by Bill Munn, Nelnet’s general counsel, the breach occurred between June 1, 2022 and July 22, 2022. But the letter sent to affected users pinpoints the breach to July 21, 2022.[3]

Although loanees’ sensitive financial data was not leaked, the personal information that was leaked “has [the] potential to be leveraged in future social engineering and phishing campaigns,” says Melissa Bischoping of Tanium. With the Biden administration’s recent announcement of a plan to cancel $10,000 of student loan debt for low- and middle-income loanees, it should be expected that this breach could be used by scammers for criminal activity. Bischoping warns that the recently leaked data can be used to impersonate affected brands in phishing campaigns that target students and recent college graduates.[4]

According to the breach disclosure, Nelnet informed Edfinancial and OSLA that Nelnet’s cybersecurity team “took immediate action to secure the information system, block the suspicious activity, fix the issue, and launched an investigation with third-party forensic experts to determine the nature and scope of the activity.” Also in the breach disclosure sent to the state of Maine is a statement that remediation will include two years of free credit monitoring, credit reports, and up to $1 million in identity theft insurance.[1]


  • T1586 – Compromise Accounts
    Adversaries may compromise accounts with services that can be used during targeting with information gained from the data breach.

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a

VI. Indicators of Compromise (IOCs)

Because of the nature of the event, this threat advisory has no indicators of compromise. However, users should continue to remain vigilant.

VII. References

(1) Nelson, Nate. “Student Loan Breach Exposes 2.5M Records.” Threatpost English Global, August 31, 2022. https://threatpost.com/student-loan-breach-exposes-2-5m-records/180492/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut.