Security

62 Schools Hit by ERP Vulnerability Patched Months Ago

• By Dian Schaffhauser
• 07/23/19

More than five dozen institutions have been victimized by a vulnerability in the Ellucian Banner products, which the company put out a patch for months ago. Federal Student Aid, an office of the U.S. Department of Education, took the unusual step of issuing a security alert warning that attackers could use the vulnerability to "log into the Banner system with an institutional account."

The office had identified 62 colleges and universities that had already been affected. Some had informed the office that attackers would exploit the opening and then use scripts in the admissions or enrollment section of the hacked system to create multiple student accounts, which would then be "leveraged almost immediately for criminal activity."

Ellucian responded with its own note, suggesting that the FSA alert referred to two problems. The first, the vulnerability, was addressed by a patch issued on May 14, 2019, and fixed in all subsequent software releases. The company specifically noted that the patch should only be applied to specific versions of software:

• Banner Web Tailor versions 8.8.3 and 8.8.4; and
• Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4 or earlier

Those schools concerned that they may have been victimized by the break-ins were advised to check their Banner 8.x self-service access logs "for unusual activity," such as a high number of error requests coming from the same IP address.

The second issue, involving the creation of fraudulent admission applications, was, said Ellucian, "an industry issue and not specific to Ellucian or Banner." Information about how to mitigate creation of fraudulent admissions applications was posted on the Ellucian community website, which sits behind a registration wall.

FSA also noted in its security alert that "in [its] shared mission with the institution to safeguard student information," it would like to hear from institutions that may have been affected.

Details about the vulnerability are part of the National Institute of Standards and Technology national vulnerability database.

Update: On Aug. 6, 2019, FSA issued an update. While the Department of Education is continuing to work with institutions "to determine what impact, if any, the Ellucian Banner System vulnerability may have had," the agency stated, "to date, based on reports from targeted institutions, we have not found any instances where ... the vulnerability has been exploited or is related to the issues described in the original alert."