July 20, 2019 at
Hackers have been able to abuse a vulnerability
in software used by colleges and universities. This allowed them to gain access
to student information such as Social Security numbers, personal financial
information, and grades.
The US Department of Education (DoE) issued a security alert earlier this week stating that 62 universities and colleges had been affected. Data acquired by the hackers was used to create fake accounts for criminal intent.
The vulnerability impacts Ellucian Banner
Enterprise Identity Services and Ellucian Banner Web Tailor, both modules of
the Ellucian Banner ERP system.
It appears that attackers were able to take
over user sessions when they attempted to log in.
It has been alleged that these criminal elements have actively been scouring the internet looking for institutions to target using this software flaw. This research provided them with a list of institutions to victimize. The hackers would then access the system once the user logged in. The amount of information they could obtain and how far into the systems they could get depended on the administrative rights of the user they chose to hack.
Using these means, they could eventually
move laterally through the institution’s system and access personal and
sensitive data – data that is usually protected by law.
Hackers were also able to potentially
manipulate this information, for example, alter personal data or grades or deny
students financial aid.
While there have been many reports that the
data was then used for criminal purposes, no details have been provided on the
nature or extent of the activity.
The FSA has stated that those affected have
reported that the vulnerability was exploited to manipulate enrolment or admissions
systems, as well as create hundreds of fake student accounts in a matter of
The chief information security officer at
Ellucian emailed a statement reporting that there was no connection between the
security vulnerability and the generation of fake accounts – the two issues
were totally unrelated.
Ellucian operates in over
50 countries, assisting more than 2,500 institutions providing software
solutions for students, colleges, and universities. With more than 5 decades of
know-how, they supply software helps organize data and workflow for managing
things like staff payroll, student grades, student financial aid, and
Ellucian fixed the vulnerability two months
ago, with a patch that users need to download. However, the DoE stated, only
this week, that hackers have started exploiting this vulnerability. It is
unclear why there is a two-month gap between the creation of the patch and this
On 14 May 2019, the patch was created, and an
update was posted
stating that a vulnerability in the user verification mechanism used by the two
modules had been discovered. This weakness meant that hackers could gain remote
access to hijack victims’ web sessions and access their account details.
What happens now?
Institutions who use these two modules are
strongly advised to apply patches to fix any potential vulnerabilities of their
system. Institutions are also encouraged to upgrade their Enterprise Identity
or Web Tailor Services if they have not done so already.
It would be advisable also for institutions
to contact the FSA team to determine if you have suffered a breach in data.
The latest version of Ellucian’s ERP system
is Banner 9. Those institutions who have already switched to this version are
believed to be unaffected by this issue.