Cybercriminals have attacked Ellucian’s widely used Banner Web Tailor enterprise resource planning platform for colleges that contain students’ personal and financial data, according to the federal government.
The alert by the Education Department said an “active and ongoing exploitation†of a security flaw in the Banner system gives the hackers access to students’ grades, family finances and Social Security numbers.
The criminals exploited the flaw to steal users’ sessions when they weren’t logged on and triggered denial of service attacks by repeatedly requesting the Banner Web Tailor main page, the department said, adding that platforms at 62 colleges have been hacked.
Used by 1,400 Colleges
The Banner Web Tailor is an ERP module colleges employ to customize apps. According to Ellucian’s websiteOpens a new window , more than 1,400 institutions worldwide use Banner to manage student grades, staff payrolls, course schedules, admissions and student assistance.
Ellucian said that it released a patch intended to fix the flaw in May and that it had no reason to suspect a breach had occurred again. It did not disclose the number of institutions that had installed the patch.
The Education Department reportedOpens a new window the attack last week but did not give a date. It said institutions that have transitioned to Banner 9, the latest version of Ellucian’s ERP system, are not believed to be affected.
Some 600 fake or fraudulent student accounts were created within a 24-hour period, according to the department. The activity continued over several days and eventually resulted in the creation of literally thousands of fake student accounts. Some of the accounts were then leveraged to support further criminal activity which was not detailed by the department.
There were concerns that the hackers possibly intended to create fraudulent applications for admission or steal financial assistance data.
Many Have Yet to Fix Systems
The department indicated that many institutions still had not implemented appropriate safeguards to segregate the system functions affecting the department’s student financial aid data.
“It is believed that such a condition could put the security and the integrity of the department’s data and systems at risk,†it added.
The institutions thought to have been attacked were not identified but were urged publicly to take appropriate defensive measures.
Ellucian said that it did not believe the vulnerability could be used to create accounts: “The issue described in the alert is not believed to be related to the previously patched Ellucian Banner System vulnerability and is not exclusive to institutions using Ellucian products,†it said.
Key takeaways:
- The Education Department has issued an alert to colleges and universities regarding the Ellucian ERP platform, specifically vulnerabilities that may allow hackers to access information and potentially also create fake accounts.
- Ellucian, which specializes in the development of ERP systems for educational institutions, denied that the vulnerability could be used to create actual fake accounts in an effort to get access to student aid payments.
- Ellucian is recommending that colleges add reCAPTCHA capabilities to the admissions process to reduce the likelihood of suffering fraudulent applications for admission.