Third-party vendor is to blame for breach which could affect 16,500 people.

A US student loans company which suffered a third-party data breach has apologized to customers.

Access Group Education Learning revealed that up to 16,500 borrowers could have been affected in the incident, during which copies of personal information were exposed.

Nelnet, a Nebraska-based financial services company which processes loans on behalf of Access Group, reportedly sent on personal records to an unreported business by accident.

In a statement sent to The Daily Swig, Access Group claimed the leaked files have been deleted and that no other copies were kept.

The statement read: “That company confirmed the transferred files had been deleted and agreed to have the appropriate manager sign a sworn statement that the files had been deleted with no copies retained.

“Though exposure of any personal information was limited and access to any personal information was immediately terminated, Access Group provided written notice to those individuals whose files were included in the transfer and to their state Attorneys General.”

It added: “Access Group values the trust our student loan borrowers and co-signers have placed in us, and we hold the privacy of our customer’s personal information in the highest regard.

“We regret any concern this incident may have caused our borrowers and we feel confident that we have minimized any threat to their personal information.”

Access Group is offering one years’ worth of free credit monitoring services to all customers affected in the incident.

It also said it would introduce written data transfer protocols for third-party vendors, and that it will require vendors to verify the recipient before data is passed on.

This breach comes months after a targeted phishing campaign fleeced thousands of pounds from students at British universities.

More than £100,000 was taken from loan accounts in a devious phishing attack by attackers posing as the government-funded Student Loans Company (SLC).

A report by Cyber Risk Aware revealed that £108,205 was illegally rerouted to offshore bank accounts since the beginning of the 2015 academic year up to December 2017.

It was stolen via a phishing attack, which encouraged recipients to change their SLC login details to access their funds.

Stephen Burke, CEO of Cyber Risk Aware, told The Daily Swig: “Cybercriminals have moved away from having attachments in emails. They’ve moved more towards having links in websites.

“The victims might have some security software that may strip an attachment from an email, but they can’t strip a link.

“These people then knowingly go onto a website and enter their details when they should really be saying, ‘This doesn’t make sense, I’ve been told numerous times never to enter details’.

“Yet people do, and it just confirms yet again that colleges and the Student Loan Company need to do a better job at helping people to become more aware.”