STOCK TITAN

Third-party cyber incident exposes Navient (JSM) borrower data via law firm

Filing Impact
(Moderate)
Filing Sentiment
(Neutral)
Form Type
8-K

Rhea-AI Filing Summary

Navient Corporation reports a material cybersecurity incident at a third‑party law firm that provides services to the company. A ransomware attack on the firm’s systems allowed an unauthorized actor to access Company‑related borrower data, including customer names, dates of birth, addresses and Social Security numbers.

Navient engaged external cybersecurity experts, is notifying affected individuals and regulators under applicable laws, and has informed law enforcement. The incident was limited to the law firm’s environment, with no identified unauthorized access to Navient’s own systems and no disruption to operations or customer services. As of this report, Navient does not believe the incident is reasonably likely to have a material impact on its financial condition or results of operations.

Positive

  • None.

Negative

  • None.
Item 1.05 Material Cybersecurity Incidents Business
A cybersecurity incident that the company has determined to be material to investors.
Incident awareness date June 8, 2026 Date Navient became aware of the cybersecurity incident
Materiality determination date June 29, 2026 Date Navient determined the incident to be material
Senior notes coupon 6% Senior Notes due December 15, 2043 Existing listed security, unchanged by this event
cybersecurity incident technical
"the Company became aware of a cybersecurity incident involving a third‑party law firm"
A cybersecurity incident is an event where someone's computer systems or data are attacked or broken into without permission. It matters because it can lead to stolen information, financial loss, or disruptions in services, similar to a break-in at a store that damages property or steals valuable items.
ransomware attack technical
"The incident involved a ransomware attack affecting certain of the Firm’s information systems"
unauthorized actor technical
"an unauthorized actor accessed certain Company-related data maintained by the Firm"
material impact financial
"does not believe the incident has had, or is reasonably likely to have, a material impact"
Material impact refers to a significant effect that can influence the overall value, decision-making, or outlook of a business or investment. It matters to investors because such an impact can change the expected success or risk level of an investment, similar to how a major change in a recipe can alter the final taste—it's important enough to influence overall judgment or actions.
borrower information financial
"Such data includes borrower information such as customer names, date of birth, addresses and Social Security numbers"
See more from StockTitan in Google Search and AI answers. Adds StockTitan as a preferred source · opens Google
Add on Google
Learn about SEC filing dates

UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
WASHINGTON, DC 20549



FORM 8-K



CURRENT REPORT

Pursuant to Section 13 or 15(d)
of The Securities Exchange Act of 1934

Date of Report (Date of earliest event reported): June 29, 2026



Navient Corporation
(Exact name of registrant as specified in its charter)



Delaware
 
001-36228
 
46-4054283
(State or other jurisdiction of incorporation)
 
(Commission File Number)
 
(IRS Employer Identification No.)

13865 Sunrise Valley Drive, Herndon, Virginia
 
20171
(Address of principal executive offices)
 
(Zip Code)

Registrant’s telephone number, including area code (302) 283-8000

Not Applicable
(Former name or former address, if changed since last report)



Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions (see General Instruction A.2. below):

Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)

Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)
Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))
Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))

Securities registered pursuant to Section 12(b) of the Act:

Title of each class
Trading Symbol(s)
Name of each exchange on which registered
Common stock, par value $.01 per share
NAVI
The Nasdaq Global Select Market
6% Senior Notes due December 15, 2043
JSM
The Nasdaq Global Select Market
Preferred Stock Purchase Rights
None
The Nasdaq Global Select Market

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).

Emerging growth company

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐
 


Item 1.05
Material Cybersecurity Incidents

On June 8, 2026, the Company became aware of a cybersecurity incident involving a third‑party law firm (the “Firm”) that provides services to the Company. The incident involved a ransomware attack affecting certain of the Firm’s information systems.
 
The Company was informed by the Firm that an unauthorized actor accessed certain Company-related data maintained by the Firm as a result of the Firm’s provision of legal services to the Company. Such data includes borrower information such as customer names, date of birth, addresses and Social Security numbers. The Company promptly initiated an investigation, with the assistance of external cybersecurity experts, and is conducting notifications to affected individuals and regulators as required by applicable federal and state laws. Law enforcement has also been notified.
 
The incident was limited to the Firm’s environment; the Company has not identified any evidence of unauthorized access to its own systems and has not experienced any disruption to its operations or customer services as a result of the incident. Notwithstanding the foregoing, the Company determined the incident to be material on June 29, 2026 in light of the volume and sensitivity of the information involved.
 
As of the date of this report, the Company does not believe the incident has had, or is reasonably likely to have, a material impact on its financial condition or results of operations.
 

SIGNATURE

Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

 
NAVIENT CORPORATION
     
 
By:
/s/ Matthew Sheldon
 
 
Name:
Matthew Sheldon
 
Title:
Senior Vice President & General Counsel
     
Date: July 2, 2026
   



FAQ

What cybersecurity incident did Navient (JSM) disclose in this 8-K?

Navient disclosed a ransomware-related cybersecurity incident at a third-party law firm. An unauthorized actor accessed Company-related borrower data held by the firm, including names, dates of birth, addresses and Social Security numbers, prompting investigation and required notifications.

Was Navient’s own IT environment compromised in the reported cyber incident?

Navient states the incident was limited to the law firm’s systems. The company reports no evidence of unauthorized access to its own systems and no disruption to its operations or customer services resulting from this incident.

What type of borrower data was exposed in Navient’s third-party breach?

The exposed borrower data includes customer names, dates of birth, addresses and Social Security numbers. This information was stored on the third-party law firm’s systems as part of its legal services for Navient, not on Navient’s own IT systems.

How is Navient responding to the cybersecurity incident involving its law firm?

Navient initiated an investigation with external cybersecurity experts and is notifying affected individuals and regulators as required by federal and state laws. Law enforcement has also been notified in connection with the ransomware attack at the third-party firm.

Does Navient expect a material financial impact from this cyber incident?

As of this report, Navient states it does not believe the incident has had, or is reasonably likely to have, a material impact on its financial condition or results of operations, despite being deemed material due to the volume and sensitivity of the data involved.

When did Navient determine the third-party cyber incident was material?

Navient determined the incident was material on June 29, 2026. The company reached this conclusion in light of the volume and sensitivity of borrower information involved, including Social Security numbers and other personal data accessed at the third-party law firm.

Filing Exhibits & Attachments

4 documents