Student loan borrowers just can’t catch a break. Nelnet Servicing, Inc., a student loan servicer, was recently hit with a proposed class action alleging the company failed to properly secure and safeguard the personal data of more than 2.5 million student loan borrowers. Per the lawsuit, mountains of personally identifiable information may now be in the hands of “unknown” actors.

The class action is based on a data breach affecting more than 2.5 million people who have taken out student loans from the Oklahoma Student Loan Authority (OSLA) or EdFinancial. The lawsuit targets Nebraska-based student loan servicer Nelnet, whose servers were accessed by an “unauthorized actor” from June 2021 through mid-July 2022. A range of personal data belonging to current and former student loan borrowers was exposed, including unencrypted and unredacted names, Social Security numbers, email addresses and phone numbers.

According to the lawsuit, Nelnet first detected “unusual activity” on its network as early as July 21, 2022, but “unreasonably” waited close to a month to notify the 2,501,324 individuals whose information may have been compromised. Even though they learned that an “unauthorized third party” had “gained access” to their system, they kept the data breach quiet while they conducted their own in-house investigation. It was not until mid-August that they notified the borrowers as well as state attorneys general about the breach.

The complaint seeks relief on behalf of all U.S. residents whose personal data was compromised in the Nelnet data breach. According to the allegations, Nelnet failed to “adequately protect” the personal data of the plaintiffs; to warn the plaintiffs of its “inadequate security practices;” and to “effectively monitor” its network for “security vulnerabilities and incidents.” The complaint alleges negligence, unjust enrichment, breach of contract, and invasion of privacy. The plaintiffs claim Nelnet’s alleged negligence has “significantly harmed” the class members, leaving them “at a high risk of identity theft and fraud for many years to come.” The lawsuit seeks equitable relief forcing Nelnet to better protect customer data and submit to third-party auditors, as well as pay damages for harm suffered.

The case is reminiscent of the 2017 Equifax data breach, in which the personal information of roughly 147 million people was exposed to hackers. The resulting settlement saw Equifax agreeing to offer free credit monitoring or $125 in cash to class members, which many saw as inadequate to compensate for the harm such a severe breach of personal data may cause. The federal Office of Personnel Management was likewise hit with a lawsuit alleging the personal data of then-current and former federal government employees and contractors was exposed in cyber attacks between 2013 and 2015. The case against OPM and its contractor Peraton was settled for $63 million this summer. These are just a few examples of the wave of massive data breaches in recent years.