Hackers target 62 US universities through flaw in enrollment software
At least 62 US universities have been targeted by hackers who stole student data and used it to create thousands of fake accounts, according to a security alert the Department of Education's Federal Student Aid page released this week.
The attackers reportedly exploited a weakness in a popular banner system made by the company Ellucian. According to the alert, hackers were able to use this vulnerability to access data from the admissions and enrollment sections of schools and then use that to create thousands of fake accounts in order to conduct cybercrime. Six hundred fake accounts appeared in just 24 hours before the alert went live on Monday.
The Ellucian banner software at the center of all this works as a drop down menu meant to simplify admissions and enrollments at schools. The Ellucian video below illustrates how schools deploy the software, which, according to the company, over 1,400 universities currently use. (The alert did not specifically name the 62 universities effected by the attack.) On the student side of the software, Ellucian can be used to make course registrations, apply to classes and edit schedules, all of which require large amounts of personal data.
All that streamlining of data can be helpful for students, but it also attracts hackers looking to leverage that information to make a quick buck. The Department of Education did not immediately respond to INSIDER's request for clarification on what type of crimes the fake identities were used for.
"The Department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability," the alert reads. "We have also recently received information that indicates criminal elements have been actively scanning the internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation."
According to the alert, the attack may have also targeted the school's financial aid departments and could disrupt the administration of financial aid at the effected schools.
Ellucian did not immediately respond to INSIDERs request for comment but told Politico that they had since issued a patch meant to fix the vulnerability.
Universities are prime targets for hackers. In addition to possessing large amounts of student and faculty personal information like names, addresses, and social security numbers, school databases also often hold more granular data that — when leveraged properly — can be sold for top dollar on internet black markets. Larger research schools also often collaborate with government agencies which can produce nationally sensitive data. Last year the Department of Justice indicted nine Iranian nationals after it was revealed that they had launched a state sponsored cyberattack against universities aimed at stealing sensitive research.
Gloss