62 Schools Hit by ERP Vulnerability Patched Months Ago

  • By Dian Schaffhauser
  • 07/23/19
hacker with laptop

More than five dozen institutions have been victimized by a vulnerability in the Ellucian Banner products, which the company put out a patch for months ago. Federal Student Aid, an office of the U.S. Department of Education, took the unusual step of issuing a security alert warning that attackers could use the vulnerability to "log into the Banner system with an institutional account."

The office had identified 62 colleges and universities that had already been affected. Some had informed the office that attackers would exploit the opening and then use scripts in the admissions or enrollment section of the hacked system to create multiple student accounts, which would then be "leveraged almost immediately for criminal activity."

Ellucian responded with its own note, suggesting that the FSA alert referred to two problems. The first, the vulnerability, was addressed by a patch issued on May 14, 2019, and fixed in all subsequent software releases. The company specifically noted that the patch should only be applied to specific versions of software:

  • Banner Web Tailor versions 8.8.3 and 8.8.4; and
  • Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4 or earlier

Those schools concerned that they may have been victimized by the break-ins were advised to check their Banner 8.x self-service access logs "for unusual activity," such as a high number of error requests coming from the same IP address.

The second issue, involving the creation of fraudulent admission applications, was, said Ellucian, "an industry issue and not specific to Ellucian or Banner." Information about how to mitigate creation of fraudulent admissions applications was posted on the Ellucian community website, which sits behind a registration wall.

FSA also noted in its security alert that "in [its] shared mission with the institution to safeguard student information," it would like to hear from institutions that may have been affected.

Details about the vulnerability are part of the National Institute of Standards and Technology national vulnerability database.

Update: On Aug. 6, 2019, FSA issued an update. While the Department of Education is continuing to work with institutions "to determine what impact, if any, the Ellucian Banner System vulnerability may have had," the agency stated, "to date, based on reports from targeted institutions, we have not found any instances where ... the vulnerability has been exploited or is related to the issues described in the original alert."

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • Complete College America Launches Center to Boost Data-Driven Student Success Strategies

    National nonprofit Complete College America (CCA) recently launched the Center for Leadership, Institutional Metrics, and Best Practices (CLIMB), with the goal of helping higher education institutions use data-driven strategies to improve student outcomes.

  • teacher

    6 Policy Recommendations for Incorporating AI in the Classroom

    The Southern Regional Education Board's Commission on AI in Education has published six recommendations for states on adopting artificial intelligence in schools, colleges, and universities. The guidance marks the commission's first release since it was established last February, with more recommendations planned in the coming year.

  • computer screen displaying a landline phone being unplugged from a single cord, with a modern office desk, keyboard, and subtle lighting in the background

    Microsoft to Discontinue Skype Services

    Microsoft has announced that it is shutting down service for its Skype telecommunications and video calling services on May 5, 2025.

  • Two figures, one male and one female, stand beside a transparent digital interface displaying AI symbols like neural networks, code, and a shield, against a clean blue gradient background.

    Report Makes Business Case for Responsible AI

    A new report commissioned by Microsoft and published last month by research firm IDC notes that 91% of organizations use AI tech and expect more than a 24% improvement in customer experience, business resilience, sustainability, and operational efficiency due to AI in 2024.