Full Report
The educational services company Kaplan told state regulators last week that at least 230,000 people had Social Security and driver’s license numbers leaked following a cybersecurity incident in the fall of 2025. The Florida-based company filed breach notification letters in at least seven states but did not respond to requests for comment about the total number of people impacted by the security incident. The letters sent to victims say law enforcement was called after the incident was discovered and an investigation revealed the hackers had access to Kaplan servers from October 30 to November 18.
Analysis Summary
# Incident Report: Kaplan Data Breach (Fall 2025)
## Executive Summary
In the fall of 2025, the educational services company Kaplan experienced a data breach where unauthorized actors gained access to internal servers for approximately three weeks. The incident resulted in the compromise of sensitive Personally Identifiable Information (PII), including Social Security and driver’s license numbers, for at least 230,000 individuals. Following an investigation, Kaplan notified state regulators and law enforcement, and is currently facing multiple class-action lawsuits.
## Incident Details
- **Discovery Date:** Post-November 18, 2025 (Specific date not disclosed)
- **Incident Date:** October 30, 2025 – November 18, 2025
- **Affected Organization:** Kaplan (Owned by Graham Holdings)
- **Sector:** Educational Services
- **Geography:** Florida-based; global operations; impacts reported across at least seven U.S. states.
## Timeline of Events
### Initial Access
- **Date/Time:** October 30, 2025
- **Vector:** Not disclosed
- **Details:** Threat actors established unauthorized access to Kaplan servers.
### Lateral Movement
- **Details:** Specific techniques were not disclosed, but attackers maintained persistent access across servers for 20 days.
### Data Exfiltration/Impact
- **Details:** Between October 30 and November 18, hackers "took certain files." The exfiltrated data included names, Social Security numbers (SSNs), and driver’s license numbers.
### Detection & Response
- **Discovery:** Discovered following the cessation of unauthorized access (after Nov 18).
- **Response Actions:** Kaplan initiated a forensic investigation, notified law enforcement, and began filing breach notification letters with state regulators in March 2026.
## Attack Methodology
- **Initial Access:** Undisclosed (Commonly via phishing or vulnerable internet-facing servers in this sector).
- **Persistence:** Maintained access for 20 days.
- **Exfiltration:** Direct theft of files containing PII from internal servers.
- **Impact:** Compromise of deep PII (SSN/Driver's Licenses) facilitating potential identity theft.
## Impact Assessment
- **Financial:** Graham Holdings reported $4.9 billion in revenue; however, costs for remediation, legal fees, and potential settlements are pending.
- **Data Breach:** At least 230,941 individuals impacted (Texas: 173,676; South Carolina: 26,600; Maine: 19,075; New Hampshire: 11,600+).
- **Operational:** No significant business downtime reported; focus was on data loss.
- **Reputational:** Public scrutiny from failure to respond to media comments and multiple class-action lawsuits from firms like Wolf Haldenstein.
## Indicators of Compromise
- **Network indicators:** None disclosed in the public notification.
- **File indicators:** None disclosed.
- **Behavioral indicators:** Unusual server access patterns between Oct 30 and Nov 18.
## Response Actions
- **Containment:** Servers were secured by November 18, 2025.
- **Eradication:** Forensic investigation conducted to determine the scope of file access.
- **Recovery:** Regulatory notification in at least seven states and direct letters sent to victims.
## Lessons Learned
- **Visibility Gaps:** The attackers remained undetected on the network for 20 days, suggesting a need for improved real-time monitoring and EDR (Endpoint Detection and Response) alerts.
- **Data Minimization:** The volume of sensitive PII (SSNs and DLs) stored on these servers highlights the risk of retaining high-value data in locations accessible to external threats.
- **Disclosure Latency:** There was a significant gap between the event (Nov 2025) and state reporting (March 2026).
## Recommendations
- **Encryption at Rest:** Ensure all files containing SSNs and driver’s license numbers are encrypted to prevent utility even if files are exfiltrated.
- **Implement Zero Trust:** Move toward a zero-trust architecture to limit the ability of attackers to move laterally from initial access points to sensitive data servers.
- **Enhanced Logging:** Deploy centralized logging and AI-driven anomaly detection to identify unauthorized server access in under 24 hours.
- **Vulnerability Management:** Regularly audit internet-facing assets for the educational services sector, which is frequently targeted by data theft groups.