Kaplan, the Graham Holdings-owned educational services giant serving approximately 1.2 million students and 15,000 corporate clients globally, has confirmed a data breach that ultimately affected 1.4 million individuals; more than six times the 230,000 figure initially disclosed to state regulators. Attackers accessed Kaplan's servers for 19 days between October 30 and November 18, 2025, exfiltrating files containing names, Social Security numbers, and driver's license numbers. The breach was disclosed to at least seven state attorneys general, law enforcement was notified, and multiple class-action lawsuits have been filed. No threat actor has claimed responsibility.

What Happened

The intrusion began October 30, 2025, and ran undetected for 19 days until Kaplan discovered it on or around November 18. Law enforcement was engaged following discovery, and a forensic investigation was completed. Kaplan began filing breach notification letters with state regulators; a process that revealed the significant gap between initial and final victim counts.

Initial multi-state filings reflected a partial picture: 19,075 victims in Maine, approximately 26,600 in South Carolina, 173,676 in Texas, and 11,600 in New Hampshire (a combined disclosed total of 230,941. These figures reflected only the states whose regulators publicly publish breach notification data. The fuller picture emerged on March 24, 2026, when Kaplan informed Oregon regulators that 1.4 million individuals were affected) a disclosure that more than sextupled the publicly visible count and confirmed that the earlier figures represented only a fraction of actual exposure.

Kaplan's completed investigation determined that "an unauthorized third party accessed certain information contained within our network" and "took certain files" during the access window. The company states it is in the process of notifying all 1.4 million affected individuals in accordance with applicable law. Several law firms have already initiated class-action proceedings against Kaplan and its parent company Graham Holdings, which reported $4.9 billion in revenue last year.

What Was Taken

Kaplan confirmed the following data categories were present in the exfiltrated files:

• Full legal names
• Social Security numbers: highest-sensitivity government identity credential; enables tax fraud, credit account opening, and synthetic identity construction
• Driver's license numbers: state-issued identity documents used for identity verification across financial, healthcare, and government services

The combination of SSN plus driver's license number per individual is a complete identity fraud package. Unlike a credential dump that requires cracking or credential stuffing, SSN + DL data is immediately actionable for: new account fraud, IRS tax return fraud, loan and credit card applications, benefits fraud, and medical identity theft.

Kaplan's student population skews young; test prep for SAT, ACT, MCAT, LSAT, and GMAT serves high school through graduate school applicants. Young adults establishing credit histories are particularly vulnerable to identity fraud, as many lack the monitoring infrastructure (credit alerts, identity theft protection services) that older adults have accumulated.

Why It Matters

The disclosure gap tells a story about regulatory arbitrage. Kaplan's initial multi-state filings produced a public victim count of 230,941; because most states do not publish breach notification data. The true count of 1.4 million only surfaced when Oregon, a state that does publish, received its filing. This 6x gap is not unusual; it reflects how the fragmented U.S. state-by-state notification framework creates a structural incentive to minimize the apparent scale of breaches in public-facing filings. Regulators and researchers should treat published multi-state breach counts as systematic undercounts.

Education sector breach economics are underappreciated. Kaplan holds identity data on millions of individuals at a specific, high-value life stage; standardized test takers applying to undergraduate and graduate programs. These individuals are simultaneously establishing financial identities, applying for federal student loans, and enrolling in new institutions. Each of these processes relies heavily on SSN verification. A stolen SSN from a 17-year-old SAT student may go undiscovered for years while it is actively exploited.

Corporate client exposure extends the blast radius. Kaplan is not only a consumer test prep company; it operates employee development programs for more than 15,000 corporate clients. If any portion of the 1.4 million affected individuals includes corporate learners, the breach touches workforce identity data across a wide swath of Kaplan's enterprise client base.

A 19-day dwell time in fall 2025 suggests targeted, deliberate access. The October 30 start date falls outside the peak holiday-window timing used by opportunistic attackers, suggesting either a targeted intrusion with specific data objectives or an automated compromise that the attacker actively managed over nearly three weeks. The deliberate file exfiltration, "took certain files", indicates selective data targeting rather than indiscriminate encryption.

The Attack Technique

Kaplan has not disclosed the initial access vector. The investigation is described as complete, but technical details have not been made public. For an education services company of Kaplan's profile (operating across 27 countries with student-facing portals, corporate learning platforms, and administrative infrastructure) high-probability entry paths include:

• Phishing targeting Kaplan staff with access to student records systems or HR platforms holding SSN data
• Exploitation of internet-facing student or employee portals: test registration and score-reporting platforms that process government identity data are high-value targets with large, externally accessible attack surfaces
• Credential theft via initial access broker: SSN-holding education databases are a known target category; access to Kaplan's network may have been purchased from a broker who established initial access through an earlier, unreported intrusion
• VPN or remote access exploitation: particularly relevant given the fall 2025 timing, when remote learning and remote work infrastructure was still heavily in use across Kaplan's global operations
• Third-party integration compromise: Kaplan's integration with college application platforms, federal student loan systems (FSA), and corporate HR systems creates a broad third-party API surface

The selective file exfiltration pattern, specific files containing SSNs and DL numbers rather than mass encryption, is more consistent with data theft for monetization than ransomware for extortion, though no group has claimed the incident.

What Organizations Should Do

1. Map every internal system that stores government identity documents and enforce need-to-know access. SSNs and driver's license numbers should not exist in general-purpose file servers or broadly accessible network shares. Audit who has read access to files containing government identifiers, implement data classification labels, and restrict access to only the specific roles and systems that require it for defined business functions.

2. Deploy file access monitoring and exfiltration detection on sensitive data stores. A 19-day access window in which an attacker "took certain files" should produce detectable signals: bulk file reads, unusual access patterns, large outbound data transfers. Organizations holding government identity data should configure DLP and SIEM alerting specifically for anomalous access to files tagged as containing SSNs or government IDs; not just for encryption events.

3. Accelerate notification beyond minimum regulatory timelines. The 1.4 million Kaplan victims are learning, in March 2026, that their SSNs were stolen in November 2025. That is a 4+ month window of unprotected exposure. Faster internal triage, pre-built notification templates, and regulatory pre-engagement can compress this timeline materially. Victims who know sooner can freeze credit, file IRS identity protection PINs, and monitor accounts before fraud occurs.

4. Offer identity protection services that match the data exposed. Credit monitoring alone is insufficient for SSN + driver's license exposure. Affected individuals need: credit freezes at all three bureaus (Equifax, Experian, TransUnion) plus ChexSystems and NCTUE, IRS Identity Protection PIN enrollment, state DMV fraud alerts, and dark web monitoring for their specific identifiers. Organizations responsible for this category of breach should fund a comprehensive identity protection package; not the minimum contractually required offering.

5. Implement network segmentation isolating student record systems from general infrastructure. If the attacker's 19-day dwell period allowed access to files across a broad internal network, the absence of meaningful segmentation is the enabling condition. Student PII systems, HR systems, and corporate learning databases should operate in isolated segments with strict east-west traffic controls; requiring explicit authentication to cross boundaries rather than relying on perimeter defenses alone.

6. Engage proactively with state AGs before they come to you. Kaplan's 6x disclosure gap between initial state filings and the Oregon count will attract regulatory attention. Organizations that discover their breach scope is growing should proactively update all regulatory filings simultaneously; not file initial low-count notices and update incrementally as states with disclosure requirements surface the full picture. Regulators remember which companies disclosed fully and promptly versus which ones they had to pull numbers from.

Sources

• The Record; Education company Kaplan reports data breach impacting more than 230,000