Student Loan Data Breach Exposes 2.5M Records

Over the weekend, Nelnet Servicing, a major U.S. student‑loan servicer operating under contract with the Department of Education’s Federal Student Aid (FSA) office, disclosed a data breach that exposed personal information belonging to roughly 2.5 million borrowers. The compromised dataset includes full names, Social Security numbers, dates of birth, loan account numbers, balances and recent payment histories, according to the company’s filing with the Maine Attorney General. The breach, first detected on 21 June 2022, was traced to an insecure direct‑object reference (IDOR) flaw in the servicer’s web‑portal API that allowed an unauthenticated attacker to retrieve borrower records by manipulating sequential record identifiers.

A forensic investigation revealed that the vulnerable endpoint was part of an ASP.NET application hosted on Azure. The API, which returned JSON payloads containing sensitive fields, lacked proper access‑control checks and did not enforce multi‑factor authentication (MFA). In addition, a nightly backup of the database was stored in an unencrypted Azure Blob container, exposing a CSV export that contained the same PII. Security researchers noted that the backup could be accessed using a pre‑signed URL that had been inadvertently exposed in a public IAM policy, allowing anyone with the link to download the file.

In response, Nelnet immediately disabled the compromised API, patched the IDOR vulnerability and rotated all API keys. The company also enabled encryption‑at‑rest for the Blob storage and introduced stricter IAM policies. Affected individuals have been offered complimentary credit‑monitoring and identity‑theft protection services through Experian. The Department of Education issued a statement urging borrowers to review account activity, enable account alerts and report any suspicious transactions.

The incident highlights the growing attack surface in the education‑finance sector, where large volumes of highly sensitive personal data are processed by third‑party servicers. Security experts recommend that organizations implement defense‑in‑depth measures such as regular penetration testing, continuous API traffic monitoring, mandatory MFA for administrative interfaces, and automated verification of backup encryption status. The breach may trigger scrutiny under the Gramm‑Leach‑Bliley Act and could prompt the Consumer Financial Protection Bureau to examine the servicer’s data‑protection practices.