The student loan services company Access Group Education Lending is blaming a third-party business partner for inadvertently sending loan files containing borrowers' personal information to another business that was not authorized to receive them.
According to various media outlets, Access Group notified roughly 16,500 borrowers of the breach in a letter that states the company learned of the breach on Mar. 28, 2018, five days after the incident occurred.
Access Group claims that Nelnet, a vendor providing student loan processing services, was responsible for sending the files to the unauthorized party.
"Immediately after Access Group learned of this vendor error, we contacted the business that mistakenly received the files. That company confirmed the transferred files had been deleted and agreed to have the appropriate manager sign a sworn statement that the files had been deleted with no copies retained," reads a statement from Access Group, sent to SC Media. "Though exposure of any personal information was limited and access to any personal information was immediately terminated, Access Group provided written notice to those individuals whose files were included in the transfer and to their state Attorneys General."
In response to the incident, Access Group says it will also offer one year of free credit monitoring services to affected individuals, and will "continue to diligently monitor our vendor partnerships, including requiring written data transfer protocols and demanding that vendor employees verify the recipients of data transfers before initiating the action."
SC Media has reached out to Nelnet for comment.