Personal information of about 2.5 million student loan borrowers across the United States was exposed in a data breach of Nelnet Servicing LLC (Nelnet) during Summer 2022. Now, because of the severity of the breach and time it took for the company to notify customers, Nelnet faces a class action lawsuit alleging wrongdoing.
In a statement released by Nelnet, an unknown party accessed accounts and a forensics investigation determined that impacted information included full names, addresses, phone numbers and Social Security numbers of people who have taken out loans with EdFinancial or the Oklahoma Student Loan Authority (OSLA). Nelnet said they discovered the breach Aug. 17, 2022, and the unknown party had access to accounts starting in June. On July 21, 2022, Nelnet notified impacted student loan servicers about an incident that impacted borrowers.
Nelnet is the largest federal student loan servicer and as of June 30, 2022, was providing $589.5 billion in government-owned loans, loans from the Federal Family Education Loan Program, private education loans, and consumer loans for 17.4 million borrowers, according to their second quarter 2022 earnings press release.
Data breaches of corporations have increased over the last five years and in 2021, 1,862 corporate breaches were recorded, almost 294 million people were impacted and over 18.5 million records were exposed, according to the Identity Theft Resource Center.
Ithaca College uses the Nelnet Campus Commerce platform to generate billing statements. Students can view and make payments on bills and set up a monthly payment plan on the platform. The Campus Commerce platform was not affected by the security breach.
Shana Gore, executive director of student financial services, said Nelnet told the college that it believed no direct loan borrowers were impacted, but if any student was impacted they were notified via a breach disclosure letter from Nelnet. The letter explained the scope of the breach and offered a free 24 months of identity theft protection.
Gore said the breach does not impact the way the college views the Nelnet Campus Commerce platform but said reviewing contracts of companies the college partners with when they are up for renewal is an ongoing process. She said vendors are required to share their security practices to ensure they are compliant with all federal and state regulations.
“[Reviewing contracts like Nelnet Campus Commerce] is something that — totally separate from the breach — we constantly review to make sure that vendors are meeting students’ needs, providing the product we need to be able to support students and that we are paying the best price possible,” Gore said.
Jason Youngers, information security officer in the Office of Information Security and Access Management, said the college’s contract review process involves procurement, the Office of the College Counsel, the Office of Information Security and Access Management, and others.
“As part of that [review] process, we request and review information from vendors about their information security practices,” Youngers said via email. “Our preference is that vendors complete the Higher Education Community Vendor Assessment Toolkit published by the Higher Education Information Security Council and widely used in higher [education], but we also request reports from third-party security assessments and audits.”
One class action lawsuit against Nelnet was filed Aug. 30, 2022, by a firm representing plaintiff Jesse Herrick. Another class action from plaintiff Michael Varlotta represented by Mattson Ricketts Law Firm and Peiffer Wolf Carr Kane Conway & Wise, LLP, was filed as well.
The complaint from the Herrick class action states that “Nelnet had a duty to exercise reasonable care in safeguarding, securing and protecting such information [personal identifiable information] from being compromised, lost, stolen, misused and/or disclosed to unauthorized parties” and said that Nelnet did not disclosure the breach in an appropriate amount of time.
Now, a judge will have to rule if the case should be given a class action status for the case to continue and then the case could take as little as a few months or stretch to a few years to complete.
Junior Hannah O’Connor said she had concerns about the breach because while her student loans are serviced through Nelnet, she was not notified by the company and instead found out through social media. She said she was not affected by the breach, but thinks there should have been more communication from Nelnet to individuals that use its platform.
O’Connor, who works as a support consultant for Information Technology at the college, said the department has not had any discussions about the breach because of how separate Nelnet is from the college.
“Not all students at the school who take out loans have them serviced through Nelnet,” O’Connor said via email. “If there was a student that was directly affected by the data breach and reached out to IT regarding it, we would strongly recommend reaching out to Nelnet or the U.S. Department [of] Education directly.”
O’Connor said she feels like technology security in general is like a scale that factors in the amount of security and convenience.
“I believe that the college falls somewhere right in the middle of being secure and convenient with the use of Duo,” O’Connor said via email. “It is not always the most convenient, but it keeps student’s important information safe as opposed to not having any security measures at all. Without Duo and other security measures, anyone would be able to access anything with just a simple password.”
