By Elias Schisgall

Navient said personal data about its borrowers had been accessed through a ransomware incident targeted at an external law firm the company had hired.

An unauthorized actor gained access to data related to Navient and maintained by the law firm, the financial-serices company said in a Thursday filing with the Securities and Exchange Commission. The firm informed Navient about the attack on June 8.

The actor accessed borrower information including names, Social Security numbers, dates of birth and addresses, Navient said.

The company said it engaged external cybersecurity experts and started an investigation, and is notifying regulators, law enforcement, and affected individuals.

The ransomware incident was limited to the law firm's systems, Navient said, adding that it hasn't identified evidence of unauthorized access to its own systems or seen any disruptions to customer services or operations.

The company determined the incident was a material event on Monday, but said it isn't expected to have an effect on its financial condition or results.

Shares of Navient edged 1.2% lower, to $8.51, in after-hours trading.

Write to Elias Schisgall at elias.schisgall@wsj.com