OPINION: Student loan providers should do more to protect borrowers

This summer, over 2.5 million students borrowing loans from Edfinancial Services or Oklahoma Student Loan Authority (OSLA) had their information compromised during a data breach. Nelnet Servicing, a Nebraska-based student loan servicer that both Edfinancial and OSLA use for their web portals was the target of the breach. Students’ names, addresses, email addresses, phone numbers and Social Security numbers were compromised.

I was one of the 2.5 million students impacted by the breach discovered July 21. I was not notified until Aug. 26 through a letter from Edfinancial sent to my residence. 

The letter claims, “The confidentiality, privacy, and security of our customers’ information is one of our highest priorities.” 

If this is so, then why was I not notified until over a month after the breach was discovered?

With the announcement of President Joe Biden’s student loan relief plan, students affected by the data breach are at even more risk of future social engineering or phishing campaigns targeting borrowers exploited by the recent data breach.

Not only am I, along with the other 2.5 million student borrowers, facing crippling debt once we graduate, but now we have to spend the next couple years monitoring our credit and accounts to ensure we are not the unassuming victims of identity theft. To make matters worse, my loan servicer did not notify me until a month after my information was compromised, and it may already be too late.

Cyberattackers could leverage the recent breach to target student borrowers through fraudulent correspondence with emails, phone calls or deceptive text messages.

DePaul junior Sophia Mocarski, who was also affected by the breach, said she was angry and panicked when she first heard that she was an unsuspecting victim of data theft. One of her primary concerns was the amount of time her information has been compromised without her knowledge.

“My Social Security number has been on the internet for almost a month, and they didn’t inform me until I got back to school,” Mocarski said. “That was probably the worst part about it. They should have sent that email when they found out.”

Although the breach did not compromise student borrowers’ financial information, students are still concerned about their Social Security numbers being used for identity theft.

Mocarski said she is worried about her Social Security number being used to take out loans or open credit cards under her name because she doesn’t have a credit score yet.

“You’re handling millions of students’ financial information,” Mocarski said. “We have these loans we have to pay back, and not only that crippling us, but now we have to be concerned about identity theft. It doesn’t make you feel very secure with where you’re taking money out of.”

Students impacted by the breach are offered two-years of credit monitoring and identity theft protection from Experian’s credit reporting and identity protection service, IdentityWorksSm, according to the letter.

Mocarski said she doesn’t believe two years of credit monitoring is enough time to ensure she is protected from identity fraud. She plans on continuing to pay for the service after her free subscription is over.

There are a multitude of ways loan companies can protect their borrowers from data theft. David Habich, an adjunct professor at DePaul in the cybersecurity and criminology departments, said he is not sure how the information was breached from Nelnet, but there should have been protections in place to prevent data theft.

“I think any entity which stores data containing personal identifiable information should safeguard that information to the greatest degree possible,” Habich said.

There are steps both individuals and companies can take to avoid being a data breach victim, according to Habich. This includes education or training on cybersecurity and social engineering attacks, the use of strong credentials and multi-factor authentication, patching and updating software and the use of encryption. 

Nelnet now faces a class action lawsuit as a result of the delay in notifying  the department of education and the families affected after they became aware of the unauthorized access. 

“I definitely would still like to pursue legal action,” Mocarski said. “You don’t really have a choice… [they] put me at risk for identity theft, and I still have to pay back my loans.”

Connect with Sam Moilanen: @sam_moilanen3 | [email protected]