ECMC reported last Friday, March 26th, that a data theft occurred over the weekend of March 20-21 from ECMC’s headquarters. During this breach, which has been termed a "theft," data was stolen that included names, addresses, dates of birth and social security numbers of some 3.3 million individual student loan borrowers. ECMC did note in its press release that no "bank account or other financial information" was stolen, which may not come as a huge relief to those affected considering the types of data that was stolen.
What is not clear is whether the information was encrypted, although it is not difficult to conclude that the information almost certainly was not encrypted in light of the public announcement and credit reporting. The media on which the records were contained, although not specifically identified, was referred to as "portable media."
ECMC’s president and CEO, Richard Boyle, said in the statement "[w]e deeply regret that this incident occurred and the stress it has caused our borrowers and our partners and are doing everything we can to help protect our borrowers’ identity and personal information."
ECMC is a guarantor of federal student loans. It is offering, gratis, the now-customary credit monitoring service from one of the major credit reporting bureaus (Experian, in this case).
ECMC reports that it delayed its public announcement at the direction of the law enforcement divisions.
This data breach of ECMC’s records further highlights the vast gap between state-level data encryption requirements that are emerging and the lack of the same at the federal level.