A threat actor compromised a major U.S. student loan servicing platform by exploiting an unpatched web‑application component. The vulnerability allowed the attacker to query the backend database and harvest personal data—including names, Social Security numbers, dates of birth, and loan balances—for roughly 2.5 million borrowers.

The breach puts millions at risk of identity theft and could trigger regulatory penalties under GDPR, CCPA, and federal education‑privacy statutes. Defenders must prioritize timely patch management for third‑party libraries, enforce strict network segmentation around sensitive data stores, and deploy continuous monitoring to detect anomalous query patterns before large‑scale exfiltration occurs.