Dive Brief:

  • Hackers breached the sensitive student data of 62 colleges, the U.S. Department of Education announced last week.
  • Over the course of several days, attackers created thousands of fake student accounts, some of which “appear to be leveraged almost immediately for criminal activity,” the Ed Department said.
  • Initial reports suggested that a security flaw in Ellucian software was exploited in the breach, but the company announced on Friday that the vulnerability and the fake admissions applications “are two separate and distinct issues” and that it has “no reason to suspect that a breach has occurred as a result of this vulnerability.”

Dive Insight: 

The security flaw was found in previous versions of Banner software that colleges use to design web applications and authenticate users.

Hackers could use the security flaw to take over users’ sessions when they tried to log in and may have been able to access sensitive student data, according to the National Institute of Standards and Technology. The Ed Department noted on its website that the security breach may have also given hackers access to the agency’s student financial aid data.

Liz Hill, an Ed Department spokesperson, said it issued the announcement about the security flaw “out of an abundance of caution” after becoming aware of “fraudulent activities” at several colleges using Banner products.

“We are working with school and law enforcement officials to determine what, if any, federal student aid information or data may have been affected,” Hill wrote in an email to Education Dive on Friday.

It’s not clear how many institutions are still using the older versions of the software, but more than 1,400 colleges use Banner for a variety of services, including for managing student information, employee benefits and financial aid.

An Ellucian spokesperson didn’t say how or when the vulnerability was discovered. However, a GitHub post suggests a University of South Carolina student worker may have found and reported the issue to the company in December.

Colleges — which house intellectual property, student data and financial information — have long been a target for cybersecurity attacks. And those that fail to keep their systems up to date are especially at risk, said cybersecurity expert Russell Schrader in an interview with Education Divelast year. At the time, Schrader was executive director of the National Cyber Security Alliance.

“It’s not sexy to sit around and update your operating system, but it’s the best way to make sure you’re not opening your institution up to attacks that have already been solved,” he said.

Brian Kelly, director of the cybersecurity program at Educause, told Education Dive in an email that “broad-based institutional participation” is critical to protecting sensitive data. “Because cybersecurity threats can target multiple points of entry in an institution, (it) is important for all campus members to know basic information security protections to safeguard data and prevent those data from being mishandled,” Kelly wrote. (continue reading)