Navient says law-firm ransomware exposed borrower Social Security numbers

NAVI

·

Navient Corp. disclosed a material cybersecurity incident in a filing with the Securities and Exchange Commission on Thursday, saying borrower data including Social Security numbers was accessed in a ransomware attack on an outside law firm that provides services to the student-loan company.

The company said the breach was not found in Navient’s own network and did not interrupt its business. “The incident was limited to the Firm’s environment; the Company has not identified any evidence of unauthorized access to its own systems and has not experienced any disruption to its operations or customer services as a result of the incident,” Navient said in its Form 8-K.

Navient said in the filing, dated July 2, that it learned of the incident on June 8. “On June 8, 2026, the Company became aware of a cybersecurity incident involving a third-party law firm (the ‘Firm’) that provides services to the Company. The incident involved a ransomware attack affecting certain of the Firm’s information systems,” the company said. The filing lists June 29, 2026, as the date of the earliest event reported, and Navient said it determined the incident was material that day.

The accessed information included sensitive borrower data. “Such data includes borrower information such as customer names, date of birth, addresses and Social Security numbers,” Navient said. The filing does not identify the law firm involved, disclose how many borrowers or records were affected, or say whether the exposed data was encrypted.

Navient said it began investigating with outside cybersecurity experts after learning of the attack. The company also said it is notifying affected individuals and regulators as required by federal and state law, and that law enforcement has been notified. In the filing, Navient said: “The Company determined the incident to be material on June 29, 2026 in light of the volume and sensitivity of the information involved.”

The company said that, despite the sensitivity of the data involved, it does not currently expect the incident to have a significant financial effect. “As of the date of this report, the Company does not believe the incident has had, or is reasonably likely to have, a material impact on its financial condition or results of operations,” Navient said.

Navient is a publicly traded U.S. student-loan servicing and financial services company that was spun off from Sallie Mae in 2014. The disclosure underscores the risks large financial companies face through third-party service providers that handle sensitive consumer information, even when the companies’ own systems are not found to have been accessed.

Tags: #navient, #data-breach, #cybersecurity, #student-loans

Stocks: NAVI