62 Schools Hit by ERP Vulnerability Patched Months Ago

  • By Dian Schaffhauser
  • 07/23/19
hacker with laptop

More than five dozen institutions have been victimized by a vulnerability in the Ellucian Banner products, which the company put out a patch for months ago. Federal Student Aid, an office of the U.S. Department of Education, took the unusual step of issuing a security alert warning that attackers could use the vulnerability to "log into the Banner system with an institutional account."

The office had identified 62 colleges and universities that had already been affected. Some had informed the office that attackers would exploit the opening and then use scripts in the admissions or enrollment section of the hacked system to create multiple student accounts, which would then be "leveraged almost immediately for criminal activity."

Ellucian responded with its own note, suggesting that the FSA alert referred to two problems. The first, the vulnerability, was addressed by a patch issued on May 14, 2019, and fixed in all subsequent software releases. The company specifically noted that the patch should only be applied to specific versions of software:

  • Banner Web Tailor versions 8.8.3 and 8.8.4; and
  • Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4 or earlier

Those schools concerned that they may have been victimized by the break-ins were advised to check their Banner 8.x self-service access logs "for unusual activity," such as a high number of error requests coming from the same IP address.

The second issue, involving the creation of fraudulent admission applications, was, said Ellucian, "an industry issue and not specific to Ellucian or Banner." Information about how to mitigate creation of fraudulent admissions applications was posted on the Ellucian community website, which sits behind a registration wall.

FSA also noted in its security alert that "in [its] shared mission with the institution to safeguard student information," it would like to hear from institutions that may have been affected.

Details about the vulnerability are part of the National Institute of Standards and Technology national vulnerability database.

Update: On Aug. 6, 2019, FSA issued an update. While the Department of Education is continuing to work with institutions "to determine what impact, if any, the Ellucian Banner System vulnerability may have had," the agency stated, "to date, based on reports from targeted institutions, we have not found any instances where ... the vulnerability has been exploited or is related to the issues described in the original alert."

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • geometric pattern features abstract icons of a dollar sign, graduation cap, and document

    Maricopa Community Colleges Adopts Platform to Combat Student Application Fraud

    In an effort to secure its admissions and financial processes, Maricopa Community Colleges has partnered with A.M. Simpkins and Associates (AMSA) to implement the company's S.A.F.E (Student Application Fraudulent Examination) across the district's 10 institutions.

  • stylized figures, resumes, a graduation cap, and a laptop interconnected with geometric shapes

    OpenAI to Launch AI-Powered Jobs Platform

    OpenAI announced it will launch an AI-powered hiring platform by mid-2026, directly competing with LinkedIn and Indeed in the professional networking and recruitment space. The company announced the initiative alongside an expanded certification program designed to verify AI skills for job seekers.

  • Abstract AI circuit board pattern

    New Nonprofit to Work Toward Safer, Truthful AI

    Turing Award-winning AI researcher Yoshua Bengio has launched LawZero, a new nonprofit aimed at developing AI systems that prioritize safety and truthfulness over autonomy.

  • hooded figure types on a laptop, with abstract manifesto-like posters taped to the wall behind them

    Hacktivism Is a Growing Threat to Higher Education

    In recent years, colleges and universities have faced an evolving array of cybersecurity challenges. But one threat is showing signs of becoming both more frequent and more politically charged: hacktivism.