A data breach at one of the country’s largest student loan servicing companies, Nelnet Inc., may have exposed the personal information of about 2.5 million borrowers, including more than 15,000 in Maine.

According to the Nebraska-based company, an unknown party accessed “certain student loan account registration information” held by its Nelnet Servicing Division sometime between June and late July. The information that may have been accessed includes names, addresses, email addresses, phone numbers and Social Security numbers, Nelnet said in a letter to borrowers last month. Financial account numbers and payment information were not affected.

Nelnet said that on July 21 it notified two other servicing companies to which it’s subcontracted, EdFinancial and the Oklahoma Student Loan Authority, of “a vulnerability” that led to the breach.

“Nelnet Servicing’s cybersecurity team took immediate action to secure the information system, block the suspicious activity, fix the issue, and launched an investigation with third-party forensic experts to determine the nature and scope of the activity,” the company said.

Nelnet also services student loan accounts directly but none of those borrowers were affected.

After further investigation, Nelnet in late August began notifying borrowers in Maine and elsewhere who might have been affected. The company estimates they include 13,700 Mainers with loans handled by EdFinancial and about 1,700 with OSLA.

Advertisement

So far, there’s been no illicit use of the personal information, Nelnet said in a statement.

The U.S. Department of Education and law enforcement have been notified of the breach. The company is providing free access to credit monitoring services to anyone whose personal information was potentially affected by the incident, as well as guidance on how to better protect against identity theft and fraud.

“Protecting the personal information customers, clients, and associates entrust to Nelnet is a top priority,” the company said in its statement. “Nelnet takes safeguarding data seriously and is committed to continue taking steps to keep information secure.”

The company is already facing at least one class-action lawsuit related to the data breach. Nelnet is one of the largest of the nine service providers hired to manage federal student loans, and is under contract with the Department of Education through 2023.

As of September 2021, Nelnet and its subsidiary Great Lakes Educational Loan Services managed nearly $513 billion in government-owned student loans for over 15 million borrowers, according to Investopedia, or more than 30 percent of all student loans in the U.S.

News of the breach went out to borrowers just two days after President Biden announced that many student loans would be forgiven, as he had promised when a candidate.

Biden’s executive order cancels $10,000 to $20,000 in federal student loan debt for individuals earning less than $125,000 a year. The White House estimates the order could assist up to 43 million borrowers.

There are an estimated 203,000 Mainers with student loans, with an average balance of around $33,000.

Nelnet’s website crashed following the president’s announcement.