Have you or someone you know taken out student loans? If so, your personal information may be at risk. Nelnet Servicing, a federal student loan servicer working on behalf of the U.S. Department of Education, was recently hit by a cyber-attack. Over 2.5 million student loan accounts were exposed from the Oklahoma Student Loan Authority (OSLA) and EdFinancial, two large financial institutions that provide student loans. Fortunately, no financial records or payment information were breached, but there was still personal identifiable information (PII), such as full names, addresses, emails, phone numbers, and most importantly, social security numbers.
Nelnet stated that the cybercriminals gained access to its systems in June and maintained the unauthorized access until July 22. This time frame may seem long initially, but typically, a threat actor can remain in a system for months undetected, with the average time being 273 days. That average time allows hackers to study an environment and better understand its structure and weak points.
Fortunately, EdFinancial does not exclusively use Nelnet, meaning not all its clients are subject to this breach. Both EdFinancial and OSLA offer impacted individuals’ free access to a 24-month identity theft protection service through Experian.
Markovits, Stock & DeMarco LLC, a Cincinnati-based law firm, is launching an investigation into the attack on behalf of the victims. This could potentially be the beginning of a class-action lawsuit against Nelnet.
All those with breached information should immediately enroll in the identity theft prevention service offered. EdFinancial also advises that victims of the breach should also ensure that they are monitoring their bank accounts closely not just right now, but over the next few years as often accounts are not touched for months or even years after a breach like this. The Federal Trade Commission’s (FTC) website provides more steps and measures to take for the protection of sensitive information.
Unfortunately, Nelnet will not share how exactly the breach occurred, but it is a harsh reminder that we must remain vigilant and take the necessary precautions to protect our personal information, especially regarding our finances.
What are your thoughts on this data breach? Have you been affected by it, or know someone who has? Reach out and let us know!
Thanks for reading!
Make Cyber Literacy Mainstream
The Federal Rotational Cyber Workforce Program Act points to the essential role technical talent plays in shoring up domestic protections. This legislation establishes a framework through which cybersecurity professionals in the federal government can work with multiple federal agencies to enhance their skills.
Similarly, private companies must bolster their cybersecurity training programs and extend these educational resources to all employees across the company. Given the severity of modern-day cyberattacks, this knowledge can no longer be confined to the data or IT departments.
Current private-sector cybersecurity training is significantly lacking, according to a recent survey which found that 61% of employees who have received cybersecurity training failed a basic test, and those fail rates were even higher for professionals in information services/data (83%) and software (73%). These findings reveal the inadequate breadth and depth of corporate programs, which have fallen short of what is necessary to enhance the skills of even their most technically inclined employees.
In the coming months, it’s essential that private companies invest time and resources into bolstering their company-wide cybersecurity training programs, whether that means outsourcing to an instructional organization that can lead live virtual or on-site workshops, commissioning a detailed video series or establishing a regular cadence of all-hands exercises to gauge cyber literacy.
While the financial investment to build out these programs might seem daunting, leaving your company’s digital networks vulnerable will end up costing you precious management time, partnerships, reputation and much more money in the long run.
Notably, there are funds and resources readily available to those that do invest in their digital infrastructure. For example, companies can claim the Research and Development Tax Credit for activities related to implementing new technical programs and processes, including developing, updating or just integrating their current systems with new cybersecurity training courses and tools, as well as adopting the latest protective software across digital systems.
Another pillar of a national cyber strategy is the development of a cyber workforce for the future. A new bill, the Cybersecurity Grants for Schools Act of 2022, sponsored by Rep. Andrew Garbarino (NY-2) to fund schools that provide cybersecurity education and training, recently passed the House and awaits action in the Senate.
In the long term, this will be helpful to the industry; however, even when this talent becomes available, it will be hamstrung without better collaboration.
Cyber Industry Collaboration is Key
The second piece of cybersecurity legislation signed by President Biden requires governments at every level (local, state, tribal, etc.) to increase their collaboration on sweeping cybersecurity issues, including the sharing of specific security tools and protocols.
The scope of this resource-sharing doesn’t extend fully to the private sector; however, companies would be wise to adopt this “stronger together” approach and independently seek out opportunities to workshop key learnings with other businesses in their industry.
Each sector — from small business to manufacturing, healthcare, technology, agriculture and more — faces unique cyber threats and other industry peers have the most relevant experience to address these issues. As opposed to struggling in isolation, leadership teams must join existing coalitions or form collectives with other entities to promote the democratization of cybersecurity knowledge, as well as advocate for private sector needs at the federal level. The National Technology Security Coalition (NSTC) and the Cybersecurity Coalition are just a couple examples of groups spearheading this effort.
Ultimately, companies can only progress in their digital infrastructure if they work together, and one business’s vulnerability could take down the entire industry. For instance, much of the most critical supply chain is already at risk as hackers become more advanced in their ability to breach not only individual container ships and freight planes, but the various software systems that operate them.
Follow the Security Framework
While the federal government has yet to enact comprehensive cybersecurity legislation that provides support and guidance for the private sector, companies can use the latest bills as the roadmap for their immediate next steps, which points to talent and industry collaboration as the key avenues for safeguarding our digital infrastructure.
As the ripple effects of SolarWinds and Log4j continue to impact public and private entities and new threats make their way onto the global stage, it’s more important than ever for private companies to make cybersecurity investments a top priority.
