Cyber attack on Kaplan systems impacted about 20,000 individuals

A major cyber attack on Kaplan North America, a leading provider of educational programmes, compromised the personal information of more than 19,000 individuals in the state of Maine.

 

The international educational services company announced the data breach in a cyber security incident notice filed with the office of the Attorney General of Maine on Tuesday, stating that the breach occurred due to unauthorised activity in its systems during a 20-day period between October and November.

 

Kaplan is a leading global provider of educational services, including preparatory services for specialised tests like LSAT, GMAT, SAT and Bar; and in-demand certifications for financial planning, insurance, securities, real estate, engineering, architecture, and accounting industries.  

 

The company also offers specialised and advanced language courses and expert training and support through partnerships with colleges and universities. Kaplan has more than 12,000 employees in 27 countries, partnerships with 3,300 educational institutions and has provided educational services to over 1.2 million students.

 

The educational services provider informed the Attorney General’s office that on February 21, it discovered evidence of unauthorised access to its computer network and pursued an investigation with assistance from external IT security experts to determine the nature and scope of the unauthorised activity.

 

"The investigation determined that an unauthorised actor accessed our computer servers between October 30, 2025 and November 18, 2025 and took certain files," Kaplan said in a letter sent to affected individuals. "We reviewed the files involved and, on February 21, 2026, we determined that one or more files contained your name, Social Security number, and/or driver’s license number."

 

Kaplan revealed that the cyber security incident compromised the names, Social Security numbers and driver’s licence numbers of approximately 19,075 residents of the state of Maine. At the time of reporting, the company is yet to announce the number of affected victims residing in other U.S. states or internationally.

 

The company did not share whether it had identified or contacted the cyber crime group or hackers who were behind the unauthorised access, nor did it state how much data was taken from its systems or whether a ransom payment was demanded.

 

Kaplan is offering one year of complimentary identity protection, fraud detection and identity theft prevention services to all the affected victims through Experian IdentityWorks. 

 

"Please be assured that we have and will continue to invest in the security of our computer systems and we have implemented additional measures to further enhance the security of our IT network. We have also taken steps to help prevent the dissemination of the files involved in this incident," the company said, without elaborating on how it prevented hackers from publishing the stolen data online.