Skip to content

USDOE Alert: Security Breach at 62 Colleges Using the Ellucian Banner Tech/Data System

July 18, 2019

NOTE: On July 19, 2019, Ellucian added an update about the Banner system breach.

____________________________________________________________________________________

On July 17, 2019, the US Department of Education (USDOE) Office of Federal Student Aid posted the following security breach announcement “regarding the active and ongoing exploitation of a previously identified vulnerability in the Ellucian Banner (Banner) system.

First, to the heart of the matter:

The Department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability. We have also recently received information that indicates criminal elements have been actively scanning the internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation.

Victimized institutions have indicated that the attackers exploit the vulnerability and then leverage scripts in the admissions or enrollment section of the affected Banner system to create multiple student accounts. It has been reported that at least 600 fake or fraudulent student accounts were created within a 24-hour period, with the activity continuing over multiple days resulting in the creation of thousands of fake student accounts. Some of these accounts appear to be leveraged almost immediately for criminal activity.

And now, the entire USDOE announcement:

Posted Date: July 17, 2019

Author: Federal Student Aid

Subject: TECHNOLOGY SECURITY ALERT – Exploitation of Ellucian Banner System Vulnerability

The U.S. Department of Education (Department) has obtained information regarding the active and ongoing exploitation of a previously identified vulnerability in the Ellucian Banner (Banner) system. The vulnerability only occurs in Ellucian Banner Web Tailor versions 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4.

According to National Institute of Standards and Technology (NIST) advisory CVE-2019-8978, attackers can leverage a known vulnerability in these versions of these applications to log in to the Banner system with an institutional account. Access to operational areas and functions within the system would depend upon the administrative privileges granted to the affected account, but this information does not appear to be specifically detailed in the NIST advisory.

The Department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability. We have also recently received information that indicates criminal elements have been actively scanning the internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation.

Victimized institutions have indicated that the attackers exploit the vulnerability and then leverage scripts in the admissions or enrollment section of the affected Banner system to create multiple student accounts. It has been reported that at least 600 fake or fraudulent student accounts were created within a 24-hour period, with the activity continuing over multiple days resulting in the creation of thousands of fake student accounts. Some of these accounts appear to be leveraged almost immediately for criminal activity.

Victimized institutions also have indicated that their implementation of the Banner system affects or influences all aspects of academic administration, including the administration of student financial aid. The Department is concerned that some institutions that use a Banner system that still deploys Ellucian Banner Web Tailor version 8.8.3, 8.8.4, or 8.9 and/or Banner Enterprise Identity Services version 8.3, 8.3.1, 8.3.2, or 8.4 may not have implemented appropriate safeguards to segregate the system functions affecting the Department’s student financial aid data. It is believed that such a condition could put the security and the integrity of the Department’s data and systems at risk. Impacted entities using the affected systems are encouraged to review the NIST advisory in its entirety and take appropriate response measures.

Actions for Institutions Using Ellucian Banner System

If your institution uses Ellucian Banner Web Tailor version 8.8.3, 8.8.4, or 8.9 and/or Banner Enterprise Identity Services version 8.3, 8.3.1, 8.3.2, or 8.4

  1. review the vulnerability details as provided in NIST advisory CVE-2019-8978;
  2. contact Ellucian to receive information needed to patch or upgrade affected systems; and
  3. respond immediately to the Department via email to bothFSASchoolCyberSafety@ed.gov and CPSSAIG@ed.gov.Include the following information in your email:
    • Institution’s Name
    • Institutional Point of Contact’s Name
    • Institutional Point of Contact’s Telephone Number and Email Address

Once the Department receives a notification email from an institution, the FSA Cyber Incident Team will acknowledge receipt of the email and collaborate with the institution to identify if its systems are using the versions impacted by this vulnerability. In our shared mission with the institution to safeguard student information, the FSA Cyber Incident Team will act as an information resource and guide the institution to Ellucian to obtain appropriate updates and patches to mitigate the vulnerability.

Ironically, the Ellucian Banner website includes the sales tag, “Strengthen every major department in higher education with a comprehensive ERP system.”

As for postsecondary institutions using Ellucian Banner, 33 are named on this Ellucian “success” page, 30 of which are located in the US:

  • Connecticut State Colleges and Universities
  • University of California at Riverside
  • Pearl River Community College (Mississippi)
  • Edinboro University (Pennsylvania)
  • Virginia Tech
  • Georgia State University
  • Alamo Colleges (Texas)
  • Belhaven University (Mississippi)
  • Mississippi Gulf Coast Community College
  • Old Dominion University (Virginia)
  • Stark State College (Ohio)
  • St. Edward’s University (Texas)
  • Seton Hall University (New Jersey)
  • Delta State University (Mississippi)
  • Hinds Community College (Mississippi)
  • Texas Tech University
  • State University of New York (SUNY) Oswego
  • Winthrop University (South Carolina)
  • Lansing Community College (Michigan)
  • University of San Diego (California)
  • Waukesha County Technical College (Wisconsin)
  • Baylor University (Texas)
  • American University of Kuwait
  • Harrisburg Area Community College (Pennsylvania)
  • Humber College (Canada)
  • Virginia State University
  • Sam Houston State University (Texas)
  • Temple University (Pennsylvania)
  • Oral Roberts University (Oklahoma)
  • American University (Washington, DC)
  • Mercer Community College (Georgia)
  • Alverno College (Wisconsin)
  • Victoria University of Wellington (New Zealand)

According to Ellucian, more than 1,400 institutions worldwide use the Banner system, which includes student registration, human resources, and institutional finance, and financial aid components.

The Ellucian website includes no statement about breaches in its system, and USDOE has not identified the 62 affected postsecondary institutions by name. (NOTE: Update on Ellucian website as of July 19, 2019.)

security breach

___________________________________________________________________________

Interested in scheduling Mercedes Schneider for a speaking engagement? Click here.

.

Want to read about the history of charter schools and vouchers?

School Choice: The End of Public Education? 

school choice cover  (Click image to enlarge)

Schneider is a southern Louisiana native, career teacher, trained researcher, and author of two other books: A Chronicle of Echoes: Who’s Who In the Implosion of American Public Education and Common Core Dilemma: Who Owns Our Schools?. You should buy these books. They’re great. No, really.

both books

Don’t care to buy from Amazon? Purchase my books from Powell’s City of Books instead.

3 Comments
  1. Laura H. Chapman permalink

    Anyone who wants to see what Ellison is all about should visit the website. A lot of the services are outsourced, which may explain this unusual statement at the website.

    https://www.ellucian.com/assets/en/ellucian-modern-slavery-act-statement.pdf

  2. Reblogged this on Manipulate Magazine: Math 4 You By Us Group Illinois and commented:
    This is important for Educational IT architecture

Trackbacks & Pingbacks

  1. USDOE Alert: Security Breach at 62 Colleges Using the Ellucian Banner Tech/Data System | deutsch29 | IEA Voice

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s