62 Universities Hacked Through Vulnerability in Web App

Hackers were able to create thousands of fake accounts that were used ‘almost immediately for criminal activity,’ officials said.

62 Universities Hacked Through Vulnerability in Web App

Hackers were able to breach 62 college and university systems by preying on a vulnerability found in an enterprise resource planning (ERP) web app.

The U.S. Department of Education sent out a security alert last week, reports ZDNET.

“The Department has identified 62 colleges or universities that have been affected by the exploitation of this vulnerability,” officials said.

Hackers discovered vulnerabilities in Banner Web Tailor and Banner Enterprise Identity Services, two products by Ellucian, a software company for higher education management.

“We have also recently received information that indicates criminal elements have been actively scanning the internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation,” the Department said.

Joshua Mulliken, a security researcher, uncovered the authentication mechanism used by the two modules can allow hackers to hijack victim’s web sessions and gain access to their accounts.

According to the Department of Education, hackers would break into university systems and “leverage scripts in the admissions or enrollment section of the affected Banner system to create multiple student accounts.”

One victim reported the attackers created thousands of fake accounts over several days.

The accounts were used “almost immediately for criminal activity,” officials said, and they were worried hackers would gain access to students’ financial aid information.

Department officials recommend colleges and universities that use versions of the ERP modules to apply patches.

While Ellucian agrees, the company said in a statement that the attacks are not related to its ERP.

“The issue described in the alert is not believed to be related to the previously patched Ellucian Banner System vulnerability and is not exclusive to institutions using Ellucian products,” the statement said. “Ellucian recommends adding reCAPTCHA capabilities to the admission process to reduce the likelihood of experiencing fraudulent applications for admissions, even if institutions are not currently experiencing this issue.”

According to its website, over 1,400 colleges and universities use the Ellucian Banner ERP.

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

About the Author


Katie Malafronte is Campus Safety's Web Editor. She graduated from the University of Rhode Island in 2017 with a Bachelor's Degree in Communication Studies and a minor in Writing & Rhetoric. Katie has been CS's Web Editor since 2018.

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety Conference promo