TL;DR: Kaplan North America suffered a data breach between October 30 and November 18, 2025, exposing Social Security numbers and driver's licenses for at least 173,676 Texas residents. The company didn't tell anyone until March 17, 2026, over four months later. Class action attorneys are now investigating whether the delay violated state and federal notification laws.
What Kaplan Let Slip
For 19 days in late 2025, someone had access to Kaplan's servers. Not a quick smash-and-grab: a nearly three-week window where an attacker could browse files containing some of the most sensitive data Americans possess: Social Security numbers and driver's licenses.
The breach ran from October 30 to November 18, 2025. According to filings with the Texas Office of the Attorney General, 173,676 Texas residents were affected [1]. Maine's attorney general received a separate notice showing 19,075 residents in that state were hit [2]. That's nearly 193,000 people across just two states, and the nationwide total hasn't been disclosed.
Kaplan didn't figure out which files were compromised until February 21, 2026, three months after the breach ended. Then it took another month to actually tell victims. The notification letters didn't go out until March 17, 2026 [3].
The Damage: Your Identity on a Platter
The exposed data reads like an identity thief's wishlist:
- Full names
- Social Security numbers
- Driver's license numbers
This isn't just "your email got leaked" territory. Social Security numbers are permanent. You can't change them. Combined with driver's license numbers, criminals have what they need to open credit accounts, file fake tax returns, or take out loans in your name.
Kaplan serves over 1.2 million students through test prep courses for standardized exams like the GRE, GMAT, LSAT, and MCAT. They also provide professional certifications and corporate training. That's a lot of people handing over sensitive information to prepare for their futures, not expecting it to end up in the hands of hackers.
Four Months of Silence
Here's the timeline that's attracting legal attention:
Texas law requires breach notification "as quickly as possible" [4]. Four and a half months doesn't fit most definitions of "as quickly as possible."
During those months, affected individuals had no idea their data was compromised. No chance to freeze their credit. No ability to watch for fraudulent accounts. No warning that their SSN might already be for sale on dark web markets.
The Legal Fallout
Multiple law firms are now investigating potential class action lawsuits. Schubert Jonckheer & Kolbe LLP announced on March 19, 2026, that they're examining whether affected individuals may be entitled to money damages and injunctive relief forcing Kaplan to improve its security practices [5].
The investigation is looking at whether Kaplan's delayed notification violated state and federal breach notification laws. Texas's Identity Theft Enforcement and Protection Act sets clear requirements for how quickly companies must notify victims.
Kaplan North America LLC is a Florida-based subsidiary of Graham Holdings Company (formerly The Washington Post Company). The parent company acquired Kaplan Inc. in 1984, and it's now one of the largest education companies in the world.
If You've Used Kaplan: Do This Now
Received a notification letter? Or used Kaplan's services and worried you might be affected? Here's what to do:
Contact all three bureaus: Equifax (1-800-349-9960), Experian (1-888-397-3742), TransUnion (1-888-909-8872). This prevents anyone from opening new accounts in your name.
Go to AnnualCreditReport.com and check for accounts you don't recognize. You're entitled to one free report per bureau per year.
A fraud alert requires creditors to verify your identity before opening new accounts. Contact one bureau and they'll notify the others.
Criminals often follow up breaches with targeted scams. Be suspicious of emails or calls claiming to be from Kaplan, credit bureaus, or the IRS.
Kaplan is offering affected individuals credit monitoring services, the standard corporate response. But a credit freeze is more effective than monitoring. Monitoring tells you after someone steals your identity. A freeze stops them from opening accounts in the first place.
Education Sector: A Soft Target
This isn't an isolated incident. Education companies hold vast amounts of sensitive data, often with security practices that don't match the sensitivity of what they're protecting. The same pattern shows up across sectors, from the Conduent breach that hit 26 million Americans to the broader wave catalogued in the Breachies 2025 roundup.
Students hand over SSNs, financial aid information, and government IDs without thinking twice. They're focused on passing exams and getting into schools, not on asking hard questions about data security policies.
Kaplan's breach is a reminder: any organization that holds your SSN needs to be treated as a potential liability. Ask what data they collect, how long they keep it, and what happens if they're breached. If they can't answer clearly, that's a red flag.
References
- Texas Office of the Attorney General - Data Security Breach Reports
- ClassAction.org - Kaplan Data Breach Investigation (March 2026)
- PR Newswire - Privacy Alert: Kaplan North America LLC Under Investigation (March 19, 2026)
- Texas Attorney General - Identity Theft Enforcement and Protection Act
- Schubert Jonckheer & Kolbe - Kaplan North America LLC Investigation