Description of the Initial Attack of Student Loan Center

The data breach of Nelnet Servicing, a student loan servicing center, continues to have repercussions years later, as a recent $10 million settlement proposal aimed at compensating roughly 2.5 million affected borrowers was recently announced. The incident impacted borrowers of OSLA and Edfinancial Services, two loan servicers that rely on Nelnet’s online platform for customer account management.

In a letter released by Edfinancial on August 22, 2022, Nelnet notified them on July 21 that it had discovered a vulnerability that could have exposed certain student loan account information to an unauthorized party. The U.S. Department of Education and law enforcement were also notified.

 

Classic Example of a Chain Attack

The attack illustrates a classic chain attack in a third-party servicing context. Here, the attackers did not compromise OSLA or Edfinancial directly but instead exploited a weakness in Nelnet’s shared web environment. This gained them access to data for borrowers across multiple organizations through a single vendor breach. By targeting the central hub (Nelnet), they were able to move down the supply chain and impact millions of individuals and multiple institutions at once.

 

Details of the Settlement

A case was filed in the U.S. District Court for the District of Nebraska alleging that Nelnet failed to implement reasonable security measures that led to the 2022 data breach. While there were other related cases, this case resulted in a $10,000,000 settlement fund that will provide class members of the suit:

  • 2 years of credit monitoring and identity restoration services with up to $1,000,000 in identity theft insurance
  • Compensation of up to $5,000 for documented out-of-pocket losses directly related to the data breach
  • Cash for lost time dealing with the breach, up to four hours at $25/hour (maximum $100).
  • A pro rata cash payment from remaining funds for those who choose not to claim losses or time

 

How to Claim Your Settlement

Borrowers whose data was compromised in the Nelnet attack can refer to the official settlement website to view their options. You can file a claim online or download a claim form and mail it in. All claim submissions must be received by March 5, 2026. Class members can file a claim using. If you are claiming out-of-pocket losses, you will need the unique ID and PIN assigned to you in your settlement notice, as well as any documentation to prove your expenses.

Call to Action

Although the specific details of the attack remain unknown, there are several steps that Nelnet and any multi-tenant servicing organization can take to reduce their exposure to supply chain threats. One is a commitment to regular penetration tests with a focus on the public‑facing borrower portal, where the vulnerability was exploited. A skilled penetration testing team could have discovered the flaw before the attackers did and provided actionable remediation guidance. In addition, strong emphasis on code review, dependency scanning, and disciplined patch management can reduce the attack surface by removing weaknesses and vulnerabilities that threat actors routinely exploit.

 

Review Your Risk and Security Posture – Scope and Quote Your Penetration Test

 

Cybersecurity for Education Institutions or Organizations

How is AI (artificial intelligence) transforming cybersecurity risk in the education industry?