Content, Breach

Student Lender Blames Unrelated Vendor for Exposing Thousands of Personal Records


Access Group Education Lending, a student loan services company, has told some 16,500 borrowers that their personal data had been mistakenly sent by one of its vendors to an unrelated third-party business.

The third-party in this incident is an unidentified vendor serving Nelnet, a publicly-held, Lincoln, NE-based company that administers and handles repayment of student loans and other education-related financial services for student lenders like Access. If you’re a student and you take out a federal student loan from any number of lenders, you may be paying it back through Nelnet.

According to Access, on March 23 Nelnet inadvertently sent out files containing its borrowers’ names, driver's license numbers and social security numbers to the wrong student loan lender. Access said that it learned of the breach on March 28. Nelnet reportedly has instructed the vendor on the receiving end, which it claimed is a “trusted business partner,” to delete the files and not make copies.

It wasn’t until three weeks later, however, that Access began notifying borrowers, according to the Lincoln Journal Star. Last Friday, Access said it had limited and terminated the threat but didn’t explain how.

"Access Group values the trust our student loan borrowers and co-signers have placed in us, and we hold the privacy of our customer's personal information in the highest regard," the company said. "We regret any concern this incident may have caused our borrowers and we feel confident that we have minimized any threat to their personal information." To avoid a similar incident in the future, Access said it will require written data transfer protocols, the Journal Star said.

Nelnet said there is no evidence so far that the data has been “used inappropriately” by the third-party vendor or had been nabbed by hackers. "The data file was sent through an encrypted channel. Additionally, the student loan lender that received the information recognized the mistake and immediately destroyed the data," Nelnet said. Officials apologized for the breach.

Access used to be in the student loan business, but withdrew from the market in 2010 when the federally guaranteed student loan program ended. Two years later the company stopped servicing those loans directly but it still has borrowers. Enter Netnet.

The Access breach is grossly overshadowed by the exposure 2 1/2 months ago of personal records belonging to 370,000 students, parents, teachers and staff members from the Leon County Schools District in Tallahassee, FL through a leaky third-party provider. In that episode, the school district learned of the breach in February but waited a month before publicly acknowledging the incident, SC Magazine reported.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.