Navient Reports Ransomware Attack At Third-Party Law Firm On June 8, 2026; No Unauthorized Access To Navient Systems Or Disruption To Operat
On June 8, 2026, the Company became aware of a cybersecurity incident involving a third‑party law firm (the "Firm") that provides services to the Company. The incident involved a ransomware attack affecting certain of the Firm’s information systems. The Company was informed by the Firm that an unauthorized actor accessed certain Company-related data maintained by the Firm as a result of the Firm’s provision of legal services to the Company. Such data includes borrower information such as customer names, date of birth, addresses and Social Security numbers. The Company promptly initiated an investigation, with the assistance of external cybersecurity experts, and is conducting notifications to affected individuals and regulators as required by applicable federal and state laws. Law enforcement has also been notified. The incident was limited to the Firm’s environment; the Company has n...
On June 8, 2026, the Company became aware of a cybersecurity incident involving a third‑party law firm (the "Firm") that provides services to the Company.
The incident involved a ransomware attack affecting certain of the Firm’s information systems.
The Company was informed by the Firm that an unauthorized actor accessed certain Company-related data maintained by the Firm as a result of the Firm’s provision of legal services to the Company.
Such data includes borrower information such as customer names, date of birth, addresses and Social Security numbers.
The Company promptly initiated an investigation, with the assistance of external cybersecurity experts, and is conducting notifications to affected individuals and regulators as required by applicable federal and state laws.
Law enforcement has also been notified.
The incident was limited to the Firm’s environment; the Company has not identified any evidence of unauthorized access to its own systems and has not experienced any disruption to its operations or customer services as a result of the incident.
Notwithstanding the foregoing, the Company determined the incident to be material on June 29, 2026 in light of the volume and sensitivity of the information involved.
As of the date of this report, the Company does not believe the incident has had, or is reasonably likely to have, a material impact on its financial condition or results of operations.