Kaplan North America recently notified regulators and began sending breach notices to impacted individuals.

 

What happened

The Florida-based education company recently began notifying state regulators and the public about a massive data breach. Kaplan, which provides educational services like test preparation, has been notifying various states at different times, making it difficult to determine the full extent of the breach.

According to The Record, as of now, Kaplan has informed state regulators in Oregon that 1.4 million people across multiple states have been impacted.

 

Going deeper

According to a copy of the breach notice provided to California residents, an unauthorized actor accessed Kaplan’s computer servers between October 30th, 2025, and November 18th, 2025. Information involved includes names, Social Security numbers, and driver’s license numbers. Currently, no threat actors have claimed responsibility for the event.

In a statement to The Record, Kaplan said they completed the investigation. They said, “We are in the process of sending notice to all individuals whose information was potentially contained in the involved files, in accordance with applicable law.”

 

What’s next

Although notices only began being sent out earlier this month (beginning March 17th), Kaplan is already preparing for future legal battles regarding the incident. According to Westlaw, a suit was filed against Kaplan by Melissa Perez on March 24th in the U.S. District Court for the Southern District of Florida. The lawsuit makes several claims, including that Kaplan failed to notify victims in a timely manner and failed to implement reasonable cybersecurity measures, like properly encrypting computer files. The lawsuit also alleges that Kaplan failed to follow Federal Trade Commission guidelines and practices, like using spam filters to prevent phishing emails.

 

The big picture

According to an analysis from University Business, ransomware attacks across schools, colleges, and other educational institutions have seen an uptick in 2025. According to their report, attacks on US educational institutions accounted for over half of all logged ransomware attacks. Furthermore, the report noted that not all ransomware attacks go reported. Speaking specifically about universities, the article noted they currently do “little to defend themselves in these attacks.” Preventive tools like spam filtering and ExecProtect can keep highly-targeted employees from being vulnerable.

 

FAQs

When will we know the final number of impacted individuals?

When it comes to education, there is less overall transparency regarding data breaches. Educational institutions like Kaplan must follow state laws, meaning they report the number of impacted individuals to states as required, but not all of these states publish the full numbers. Furthermore, we don’t know if every state has been notified. If a lawsuit goes to judge, we may see the final numbers at that time.

 

Will the lawsuit be settled?

Currently, the lawsuit has only been filed, meaning it’s very early on in the process. Other lawsuits may emerge, and this lawsuit may eventually be consolidated with others. At that point, the suit will likely be settled, but there is always a chance it could go to trial.