Nelnet Data Breach Class Action Says Info of More Than 2.5 Million Student Loan Borrowers Was Stolen [UPDATE]

New to ClassAction.org? Read our Newswire Disclaimer

Nelnet Servicing, LLC faces a proposed class action over a 2022 data breach affecting more than 2.5 million people who’ve taken out student loans with the Oklahoma Student Loan Authority (OSLA) or EdFinancial. 

The 45-page lawsuit says that information compromised in the incident includes current and former student loan borrowers’ unencrypted and unredacted names, email addresses and phone and Social Security numbers. Per the case, an “unauthorized actor” had access to Nelnet’s system from June 2021 through July 21, 2022. 

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here. 

Although Lincoln, Nebraska-based Nelnet first detected “unusual activity” on its network on July 21, the company “unreasonably” waited more than a month before notifying the 2,501,324 individuals whose information is believed to have been compromised, the suit relays. 

“This is tantamount to the cybercriminals having nearly a three-month head start on stealing the identities of Plaintiff and Class Members.” 

The lawsuit charges that proposed class members’ information was taken by unauthorized parties as a result of Nelnet’s “negligent and/or careless acts and omissions,” and that the company could have prevented the breach had it properly encrypted its systems. 

“Hackers obtained their [personally identifiable information] because of its value in exploiting and stealing the identities of Plaintiff and similarly situated Class Members,” the case reads. “The risks to these persons will remain for their respective lifetimes.” 

According to the complaint, Nelnet first began notifying state attorneys general about a “widespread data breach” of its computer network on August 26 of this year. In its letter sent to victims, Nelnet revealed that it discovered on July 21 that an unauthorized party had accessed a portion of its information system and network, the suit says.

Rather than notify victims immediately, Nelnet chose to address the incident “in-house by implementing other safeguards to some aspects of its computer security” and investigating with “third-party forensic experts” before “simply resum[ing] its normal business operations,” the lawsuit states. 

“Nelnet failed to uphold its data security obligations to Plaintiff and Class Members,” the suit alleges. “As a result, Plaintiff and Class Members are significantly harmed and will be at a high risk of identity theft and fraud for many years to come.” 

The lawsuit looks to cover everyone in the United States whose personally identifiable information was compromised in the 2022 data breach announced by Nelnet Servicing, LLC in August 2022. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.