UPDATE: Aug. 7, 2019: The U.S. Department of Education on Tuesday revised an earlier announcement to say that attacks on some colleges' registration portals were not likely tied to a separate vulnerability in Ellucian's Banner software. Initially, the department suggested the two were linked.
"To date, based on reports from targeted institutions, we have not found any instances where the Ellucian Banner System vulnerability has been exploited or is related to the issues described in the original alert," the department wrote in a post online.
In a statement posted on its website Tuesday, Ellucian said it "has conducted its own research and monitoring that has produced no evidence of any attempt to attack the Banner vulnerability."
However, the department noted that its review of a potential threat has led to "broader concern" about the security of institutions' front-end registration portals run by third parties. It recommends adding human validation checks to the sign-in process.
Dive Brief:
-
The Ed Department posted a notification in mid-July that hackers had created thousands of fake students accounts, some of which "appear to be leveraged almost immediately for criminal activity."
-
Initial reports suggested that a security flaw in Ellucian software was exploited, but the company and the Ed Department announced a few days later that the vulnerability and the fake admissions applications "are two separate and distinct issues," and that they have "no reason to suspect that a breach has occurred as a result of this vulnerability."
-
Instead, "[a]ttackers are utilizing bots to submit fraudulent admissions applications and obtain institution email addresses through admission application portals," Ellucian said in a statement in response to the initial alert.
Dive Insight:
Liz Hill, Ed Department press secretary, said the department issued the announcement about the security flaw "out of an abundance of caution" after becoming aware of "fraudulent activities" at several colleges using Banner products.
"We are working with school and law enforcement officials to determine what, if any, federal student aid information or data may have been affected," Hill wrote in an email to Education Dive on July 19.
More than 1,400 colleges use Banner for a variety of services, including for managing student information, employee benefits and financial aid.
An Ellucian spokesperson didn't say how or when the vulnerability was discovered. However, a GitHub post suggests a University of South Carolina student worker may have found and reported the issue to the company in December.
Colleges — which house intellectual property, student data and financial information — have long been a target for cybersecurity attacks.
Brian Kelly, director of the cybersecurity program at Educause, told Education Dive in an email that "broad-based institutional participation" is critical to protecting sensitive data. "Because cybersecurity threats can target multiple points of entry in an institution, (it) is important for all campus members to know basic information security protections to safeguard data and prevent those data from being mishandled," Kelly wrote.
Tight budgets could make it hard for some colleges to shore up their defenses as cyberattacks grow more complex, Moody's analysts wrote in a report earlier this year.
That's contributed to an "upward trend" in attacks; U.S. institutions had 101 data disclosures in 2017, up from 15 in 2014, the analysts note.
Hackers recently brought down Monroe College's website and demanded $2 million in Bitcoin to restore the for-profit institution's system, the New York Daily News reported.
Earlier this year, hackers gained access to admissions files from Grinnell, Hamilton and Oberlin colleges. The hackers told students they could buy their applicant files, including their interview reports and comments from the admissions offers, for nearly $4,000 in Bitcoin, The Wall Street Journal reported.
This story has been updated to include information provided by Ellucian and the Ed Department clarifying the nature of the security risk.
