Kaplan North America Data Breach May Have Exposed Personal Data of More Than 26,000 South Carolinians

What happened

A Kaplan North America data breach may have exposed personal data of more than 26,000 South Carolina residents after unauthorized access to the company’s computer network between Oct. 30, 2025 and Nov. 18, 2025. The South Carolina Department of Consumer Affairs said the incident was first reported to the state on March 17 and affected 26,612 residents. In a notification letter sent to impacted individuals, Kaplan North America said an investigation found that an unauthorized actor took certain files from its network. The company said those files may have contained personal information including names, Social Security numbers, and driver’s license numbers. Kaplan North America also said it activated its incident response plan, contained the incident, launched an investigation, and promptly notified law enforcement after discovering the unauthorized access.

Who is affected

The direct exposure affects 26,612 South Carolina residents identified by the South Carolina Department of Consumer Affairs. Kaplan North America said the potentially exposed information may have included names, Social Security numbers, and driver’s license numbers for individuals whose data was contained in the involved files.

Why CISOs should care

This incident matters because it involves unauthorized access to a corporate network and potential exposure of high-risk identity data. It also shows how a breach response now extends beyond containment and investigation to resident notification, law enforcement engagement, credit monitoring support, and identity theft protection services.

3 practical actions

1. Confirm exactly what was taken: Determine which files were accessed and whether they contained names, Social Security numbers, driver’s license numbers, or other regulated personal information before finalizing impact assessments.
2. Align customer support with identity-data exposure: Prepare credit monitoring, identity theft support, and clear activation instructions when exposed data includes the categories identified in this incident.
3. Tighten notification and regulatory coordination: Ensure incident reporting, consumer notification, and law enforcement engagement can move quickly once an investigation confirms unauthorized access to sensitive files.

For more news about incidents involving exposure of personal information, click Data Breach to read more.