- REUTERS/Kacper Pempel/Illustration/File Photo
- 62 universities were targeted by hackers.
- The hackers were able to obtain data from the schools through a vulnerability in a popular admissions and enrollment banner software made by the company Ellucian, according to The Department of Education
- With access to the data, hackers created thousands of fake student accounts which they used to commit cyber crimes.
- The Department of Education said the attack could prevent the targeted schools from administering financial aid.
- Visit INSIDER’s homepage for more stories.
At least 62 US universities have been targeted by hackers who stole student data and used it to create thousands of fake accounts, according to a security alert the Department of Education’s Federal Student Aid page released this week.
The attackers reportedly exploited a weakness in a popular banner system made by the company Ellucian. According to the alert, hackers were able to use this vulnerability to access data from the admissions and enrollment sections of schools and then use that to create thousands of fake accounts in order to conduct cybercrime. Six hundred fake accounts appeared in just 24 hours before the alert went live on Monday.
The Ellucian banner software at the center of all this works as a drop down menu meant to simplify admissions and enrollments at schools. The Ellucian video below illustrates how schools deploy the software, which, according to the company, over 1,400 universities currently use. (The alert did not specifically name the 62 universities effected by the attack.) On the student side of the software, Ellucian can be used to make course registrations, apply to classes and edit schedules, all of which require large amounts of personal data.
All that streamlining of data can be helpful for students, but it also attracts hackers looking to leverage that information to make a quick buck. The Department of Education did not immediately respond to INSIDER’s request for clarification on what type of crimes the fake identities were used for.
“The Department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability,” the alert reads. “We have also recently received information that indicates criminal elements have been actively scanning the internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation.”
According to the alert, the attack may have also targeted the school’s financial aid departments and could disrupt the administration of financial aid at the effected schools.
In an email sent to INSIDER, Ellucian Chief Information Security Officer Josh Sosnin, acknowledged the since-patched vulnerability in its Banner application but refuted the Department of Education’s analyses that it was the cause of the thousands of fraudulent student applications.
“The Department of Education report also notes that institutions are targeted by bots that submit fraudulent admissions applications,” Sosnin wrote. “This [fraudulent student applications] is an industry issue and not specific to Ellucian or Banner.”
Universities are prime targets for hackers. In addition to possessing large amounts of student and faculty personal information like names, addresses, and social security numbers, school databases also often hold more granular data that – when leveraged properly – can be sold for top dollar on internet black markets. Larger research schools also often collaborate with government agencies which can produce nationally sensitive data. Last year the Department of Justice indicted nine Iranian nationals after it was revealed that they had launched a state sponsored cyberattack against universities aimed at stealing sensitive research.