The U.S. Department of Education has warned of “active and ongoing exploitation” of a security flaw in Ellucian’s Banner system that may give hackers access to student data such as grades, financial information and Social Security numbers.
A security alert, published Wednesday by the department’s Office of Federal Student Aid, said 62 colleges and universities using Banner had already been targeted. The alert indicates that criminals have been “scanning the internet looking for institutions to victimize” and drawing up lists of colleges to target.
(Note: This article was updated on July 24 to more accurately describe the impact of the Ellucian Banner security flaw. While the Education Department reported that a known vulnerability had been exploited, the department did not state there had been a data breach at impacted institutions. On August 6, the department published an update saying it had not found any instances of the vulnerability being exploited.)
Institutions that have transitioned to Banner 9, the latest version of Ellucian’s enterprise resource planning system, are not thought to be affected. But users using older versions of two Banner modules called Web Tailor and Enterprise Identity Services could be vulnerable.
According to Ellucian’s website, more than 1,400 institutions worldwide use Banner to manage student grades, staff payrolls, course schedules, admissions and student financial aid, among other tasks. Web Tailor and Enterprise Identity Services can be used by system administrators to get access to sensitive data protected under the Family Educational Rights and Privacy Act.
The student aid office encouraged institutions that have not recently upgraded Web Tailor or Enterprise Identity Services to do so and to contact the FSA incident team to determine whether the security flaw had been exploited. Ellucian published a patch on May 14 that fixed the security flaw but has not shared how many institutions have installed it.
The National Institute of Standards and Technology described the Banner security flaw as an “improper authentication vulnerability” that enabled attackers to take over users' sessions when they attempted to log in. Depending on the administrative privileges of the user, and the way data are organized by individual institutions, attackers could use this access to move laterally through administrative systems and access sensitive information. Attackers could also potentially manipulate this information, perhaps changing personal information or grades, dropping students from their courses or denying them student financial aid.
According to FSA, affected institutions reported that attackers used the security flaw to manipulate admissions and enrollment systems and create thousands of fake student accounts over the space of a few days. “Some of these accounts appear to be leveraged almost immediately for criminal activity,” the office said.
Josh Sosnin, chief information security officer at Ellucian, said in an emailed statement that there is no connection between the security flaw and the generation of the fake student accounts. “Ellucian has confirmed internally that the two issues outlined in the Department of Education report are separate, unrelated issues,” he said. “There is no connection between these two issues and Ellucian has communicated this to the Department of Education.”
Institutions being targeted by bots that submit fraudulent admissions applications are “an industry issue and not specific to Ellucian or Banner,” said Sosnin. He added that Ellucian’s customer service employees are “standing by to help” customers with questions about patches or updates.
Why the FSA office is reporting on the Banner security flaw two months after it was patched by Ellucian is unclear. It is also not clear how the flaw was discovered, though the NIST advisory links to a document suggesting that it may have been identified as early as December 2018 by Joshua Mulliken, a member of IT staff at the University of South Carolina.
In a GitHub post, Mulliken outlines a “disclosure timeline” indicating that Ellucian took several months to address his concerns. Mulliken said via email that he was the first person to identify the security flaw.
"Ellucian has not been proactive in ensuring that its customers understand the seriousness of CVE-2019-8978," said Mulliken. "Several institutions have reached out to me today and informed me that the had deferred updating for some time. The official messaging was not able to convey the urgency required, which more than likely contributed to the current situation."
Scott Shackelford, professor of law and cybersecurity program chair at Indiana University at Bloomington, said it is not uncommon for organizations to take several months to release patches addressing security issues, particularly if they “don’t think it’s particularly troublesome.”
Moving forward, Shackelford encouraged colleges and universities to pay attention when companies release updates and install them “as quickly as possible.”
“This really boils down to basic cyberhygiene,” he said. He encouraged institutions to limit the number of users with administrative privileges for Banner and other enterprise resource planning software.
Both Shackelford and Emory Roane, privacy counsel at Privacy Rights Clearinghouse, a nonprofit organization that tracks data breach disclosures and advocates for consumer data protection, said it could take weeks before more information is made public clarifying whether protected student information was exposed as a result of the Ellucian Banner security flaw.
Depending on where institutions are located and what type of data were affected, there are different reporting requirements for disclosing breaches, said Shackelford. In Georgia, for example, there is no state-enforced timeline for reporting data breaches, he said. Roane would like to see that change -- he thinks the U.S. should move closer to Europe’s 72-hour disclosure requirement under the General Data Protection Regulation.
Without disclosures, it is difficult to determine how serious the impact of the Banner security flaw is, said Shackelford.
Charlie Moran, senior partner and CEO of Moran Technology Consulting, described the situation as “bad, but only for a small number of schools.”
Most of the 1,400 institutions using Banner have already made the transition to Banner 9 modules, said Moran. “Most schools moved to Banner 9 this past year in a forced march because of a major software change that Ellucian was forced to make, so there are not a lot of schools running this old software,” he said.