A vulnerability in Ellucian’s Banner software used by colleges for their admission and enrollment processes was being used by hackers to access private data of students, the Federal Student Aid Office of the Department of Education said in an alert.
At least 62 colleges and universities across the United States have reported a breach in their systems. The Education Department said that the attackers used previously identified vulnerability in the Ellucian Banner system to breach the admissions and enrollment section of the affected system and created thousands of fake student accounts.
The Department noted that the vulnerability only occurs in Ellucian Banner Web Tailor versions 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4.
“Criminal elements have been actively scanning the internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation,” the alert said.
“It has been reported that at least 600 fake or fraudulent student accounts were created within a 24-hour period, with the activity continuing over multiple days resulting in the creation of thousands of fake student accounts. Some of these accounts appear to be leveraged almost immediately for criminal activity.”
Institutions that use the banner system have reported that it affects various aspects of the academic administration, including the administration of student financial aid, which has concerned the Department fearing that its data could also be at risk.
Meanwhile, Ellucian denied the link between the breach and vulnerability in its system and reported it had already released a patch in May, which makes it nearly impossible to breach student or institutional data.
“Patches for this vulnerability were issued by Ellucian on May 14, 2019, and are included in all subsequent roll-up software releases,” Ellucian statement reads.
“The patched vulnerability is extremely difficult to exploit and unlikely to occur outside of a laboratory setting.”