Data on 3.3 million borrowers was stolen from a nonprofit company that helps with student loan financing.
The theft occurred on March 20 or 21 from the headquarters of Educational Credit Management (ECMC), which services loans when student borrowers enter bankruptcy. The data was contained on portable media, said the organisation, which is a dedicated guarantee agency for Virginia, Oregon and Connecticut.
The data included names, addresses, birth dates and Social Security numbers but no financial information such as credit card numbers or bank account data, ECMC said in a news release.
Law enforcement has been notified. "ECMC is cooperating fully with local, state and federal law enforcement agencies conducting the investigation," it said in a statement.
ECMC will send a written notification to affected borrowers "as soon as possible" and offer them free services from Experian, a credit monitoring agency.
Data loss can occur in a variety of ways, including by remote hacking or employee theft. ECMC didn't say whether the data taken was encrypted.
The information could be useful for data thieves, who use personal information to apply for loans and credit cards or to assemble portfolios for larger identity theft schemes.
ECMC's data loss is significant but far short of some of the largest incidents.
More than 130 million credit card numbers were stolen around 2008 from Heartland Payment Systems, an attack ranked as the largest to date by DataLossDB, which tracks incidents. One of the hackers, Albert Gonzalez , was sentenced to 20 years in prison last month in US District Court for the District of Massachusetts.
In 2006, a laptop and hard drive containing personal information of 26.5 million military veterans and their spouses was stolen from the home of a US Department of Veterans Affairs employee.