Kaplan Had Hackers on Its Servers for 19 Days—Then Took 4 Months to Tell 230,000 People

19 Days of Unauthorized Access

Between October 30 and November 18, 2025, an unauthorized actor maintained access to Kaplan North America's internal servers. During that window, the attacker exfiltrated files containing names, Social Security numbers, and driver's license numbers belonging to at least 230,000 people across seven U.S. states.

Kaplan is best known for its test preparation services for the SAT, ACT, and graduate school exams. The company, owned by Graham Holdings and headquartered in Fort Lauderdale, Florida, serves roughly 1.2 million students annually and operates in 27 countries with over 15,000 corporate clients. The breach appears to have affected both current and former students as well as employees.

Four Months of Silence

Kaplan did not conclude its investigation until February 21, 2026, more than three months after the breach ended. Written notification letters did not reach affected individuals until March 17, 2026, roughly four and a half months after hackers first entered the network.

State breach notification laws vary, but many require disclosure within 30 to 60 days of discovery. Texas, where 173,676 residents were affected, requires notification "as quickly as possible" and no later than 60 days after the breach is discovered. South Carolina, with 26,612 affected residents, mandates notification within 30 days. Several class action law firms have already begun investigating whether Kaplan's timeline violated these requirements.

Who Is Affected

Breach notifications filed across at least seven states reveal the scope:

• Texas: 173,676 individuals
• South Carolina: 26,612 individuals
• Maine: 19,075 individuals
• New Hampshire: 11,653 individuals
• Rhode Island: 2,045 individuals

The total across all seven states exceeds 230,000 people, but some attorneys investigating the case believe the true number could be significantly higher given that Kaplan has not disclosed a complete nationwide figure. The company did not respond to press inquiries about the full impact.

Class Action Lawsuits Pile Up

Multiple law firms have launched class action investigations, including Schubert Jonckheer & Kolbe, Strauss Borrelli, and Migliaccio & Rathod. The suits center on two claims: that Kaplan failed to implement adequate security measures to protect sensitive personal data, and that the company took too long to notify affected individuals, leaving them exposed to identity theft during the delay.

No hacking group has publicly claimed responsibility for the breach. Kaplan has offered affected individuals credit monitoring and identity theft protection services, though the specific terms vary by state.

A Pattern in Education Breaches

The Kaplan breach adds to a growing list of education sector data incidents. In early 2026, PowerSchool settled for $17.25 million after secretly tracking 10 million students through its Naviance platform. Education companies hold some of the most sensitive data imaginable: Social Security numbers, academic records, financial information, and personal details about minors.

Unlike financial institutions, which face strict regulatory frameworks like PCI DSS and SOX, education companies operate under a patchwork of state laws with uneven enforcement. FERPA, the primary federal student privacy law, has not been meaningfully updated since 2011 and lacks a private right of action, meaning individuals cannot sue under it directly.

What You Should Do

If you have ever used Kaplan's services for test preparation, tutoring, or professional training, take these steps:

• Check your mail. Kaplan is sending written notification letters to affected individuals. If you receive one, follow the instructions to enroll in the free credit monitoring.
• Freeze your credit. Contact Equifax, Experian, and TransUnion to place a credit freeze. This prevents anyone from opening new accounts using your stolen Social Security number.
• Monitor your accounts. Watch bank statements, credit card bills, and any financial accounts for unauthorized activity over the next 12 months.
• File an IRS Identity Protection PIN. If your SSN was compromised, request an IP PIN from the IRS to prevent fraudulent tax filings in your name.

The Bigger Problem

The Kaplan breach is not remarkable because of its size. At 230,000 records, it is modest compared to incidents like the AT&T breach that exposed 176 million records. What makes it notable is the delay. Four months between breach and notification is four months of exposure to identity theft, fraudulent credit applications, and tax fraud, all while the affected individuals had no idea their data had been stolen.

Until breach notification timelines carry meaningful penalties, companies will continue treating disclosure as a legal obligation to minimize rather than a duty to fulfill promptly. The people whose Social Security numbers were stolen deserve better.