Kaplan, the Florida-based educational services company serving approximately 1.2 million students annually, reported a data breach to state regulators in at least seven US states confirming that Social Security numbers and driver's license numbers of at least 230,941 individuals were stolen in a server intrusion that lasted from October 30 to November 18, 2025. Kaplan is owned by Graham Holdings ($4.9B revenue). The company serves SAT, ACT, MCAT, LSAT, and GMAT test-takers as well as over 15,000 corporate clients globally. No threat actor has claimed responsibility. Multiple class-action lawsuits have been filed.

What Happened

Kaplan discovered unauthorized access to its servers sometime after November 18, 2025; the date the intrusion ended. Law enforcement was notified following discovery. An investigation confirmed attackers had persistent access to Kaplan's server infrastructure for a 19-day window: October 30 through November 18, 2025.

Kaplan filed breach notification letters in at least seven states, disclosing that hackers "took certain files" during the intrusion. State-level disclosure requirements vary, and only a subset of states publish the affected count. Aggregating confirmed state disclosures yields a minimum of 230,941 affected individuals:

The total affected population is likely higher than 230,941. Kaplan has not confirmed a global total and did not respond to press inquiries. The company's reach (1.2 million students, 27 countries, 15,000+ corporate clients) means the full breach population could be substantially larger than state disclosures suggest.

Multiple law firms have initiated class-action litigation in connection with the incident.

What Was Taken

Confirmed compromised data includes:

These three elements together constitute a complete identity fraud package; sufficient for: opening fraudulent credit accounts, filing fraudulent tax returns, applying for government benefits under stolen identities, and SIM swap attacks using identity verification systems. Driver's license numbers additionally enable identity document fraud in states where they are used as primary verification.

The scope of "certain files" taken has not been characterized beyond these three data types. Given Kaplan's operations spanning medical school, law school, and business school test prep, as well as corporate employee development programs, the server infrastructure likely also contained academic records, employment-related assessments, and corporate training data; though these have not been confirmed as exfiltrated.

Why It Matters

Kaplan's student population is a high-value target for long-horizon identity fraud. Students preparing for graduate and professional school exams (MCAT, LSAT, GMAT) are typically in their 20s and early 30s: an age cohort with clean credit histories, limited existing fraud monitoring, and decades of financial life ahead. SSNs harvested from this demographic have extended utility for fraudsters.

The 19-day dwell time indicates a patient, methodical intrusion (not a smash-and-grab. Three weeks of undetected server access suggests either inadequate endpoint detection and response, absence of behavioral monitoring on server access patterns, or an attacker operating carefully below detection thresholds. The data taken) SSNs and driver's licenses in bulk file form; is consistent with a pre-planned exfiltration of specific high-value identity data rather than opportunistic ransomware.

The geographic distribution of state filings reveals asymmetric data holdings. Texas accounts for 75% of confirmed affected individuals (173,676 of 230,941). This concentration may reflect a specific Texas-facing product, regional data center location, or state-specific student population; but it also signals that Kaplan's data architecture may concentrate significant PII in region-specific server clusters, making single-server compromise disproportionately impactful.

Corporate client exposure is the understated risk. Kaplan serves 15,000+ corporate clients on employee development and training programs. Those programs involve collecting employee PII for enrollment and credentialing. The breach notification focuses on student impact, but corporate training participants may be in the same data environment; creating an enterprise-level exposure that hasn't been quantified.

Class-action litigation is already underway. The combination of SSN exposure, 230,000+ affected individuals, and multi-state filing footprint makes this a litigation magnet. Organizations handling student and professional PII at scale should note this incident as a reference point for breach liability exposure.

The Attack Technique

The specific initial access vector and intrusion methodology have not been disclosed. No ransomware group or hacking collective has claimed responsibility, which is notable; the absence of a public claim may indicate:

The 19-day access window on a production server environment suggests one or more of: exploitation of an unpatched internet-facing vulnerability in the October 2025 timeframe, credential compromise via phishing or credential stuffing against a remote access point, or supply chain compromise through a Kaplan vendor or third-party integration. The "certain files" language in the notification, implying specific file exfiltration rather than encryption, is consistent with a data-theft-only operation.

What Organizations Should Do

  1. Implement file access auditing on servers containing PII collections. The attacker accessed "certain files" containing bulk SSN and driver's license data. File-level auditing (logging which accounts accessed which files, when, and from where) is the detection mechanism that catches this class of attack. Without it, 19 days of file access goes undetected. Enable Windows Security Event ID 4663 (file access) and equivalent on Linux for all servers holding bulk PII.

  2. Segment and vault bulk identity data collections. SSN and driver's license number databases should not reside on the same servers as application code, user authentication systems, or operational infrastructure. Dedicated, access-controlled data vaults with hardware-enforced encryption at rest and strict service account permissions limit the blast radius of a server compromise to the specific data tier rather than the entire student/client population.

  3. Establish an anomaly detection baseline for server data access volume. Exfiltration of 230,000+ SSN records requires significant data movement. File server and database access monitoring should flag when query volumes, row counts, or data transfer sizes exceed normal operational thresholds for a given service account or user session. This is achievable with SIEM rules, UEBA tooling, or database activity monitoring.

  4. Apply multi-factor authentication to all remote and administrative server access. The most common initial access vector for 19-day server intrusions is compromised credentials used against remote access systems (RDP, VPN, jump hosts). MFA on all administrative and remote access paths is the single most effective control against credential-based server intrusion. There is no acceptable exception for servers holding SSN data.

  5. Conduct a full breach population audit across all data environments; not just the compromised servers. Kaplan's disclosure covers identified affected individuals but the total may be higher. Organizations in this situation should enumerate every data store accessible from compromised server segments, assess what data was present, and ensure notification covers the full potentially affected population rather than only confirmed file access events.

  6. Brief corporate client security teams immediately when their employee data may be in scope. Kaplan's 15,000+ corporate clients have their own notification and remediation obligations if employee PII was stored on compromised servers. Proactive outreach to enterprise clients, even before full scope confirmation, enables those organizations to activate their own incident response workflows and protects Kaplan from downstream liability for delayed client notification.

Sources