Ellucian vulnerability was not behind recent university cyberattacks

The Education Department has released an updated notice providing new information on the widespread attacks against universities reported last month.
U.S. Department of Education seal
(Department of Education / Flickr)

No university information systems have been compromised as a result of a security flaw in Ellucian software, the Department of Education said in a notice Tuesday — going back on its claim last month that hackers had infiltrated 62 institutions by exploiting the flaw.

Instead, the notice says, the Department is investigating whether universities had fallen victim to “automation attacks,” which, instead of targeting a particular software vulnerability, send a barrage of registration attempts at front-end portals of university systems in the hopes of generating fraudulent accounts. They have apparently been successful: One attack was able to generate 600 accounts in a 24 hour period, according to the Department’s first notice.

“We strongly encourage every institution to review these third-party front-end applications to ensure that they are not introducing vulnerabilities,” the notice reads.

The department still advised universities to make sure their Ellucian Banner software was up-to-date. The platform is used by more than 1,400 universities, according to Ellucian, to centralize and manage various administrative functions, like financial aid and course registration.


A security researcher discovered a vulnerability in Banner last year, which, he wrote in a disclosure, hackers could leverage to get access to user accounts. Ellucian released a patch for the flaw in May, but the Department said in its original security notice that universities had been slow to update the software, leading to attacks.

“Ellucian has conducted its own research and monitoring that has produced no evidence of any attempt to attack the known Banner vulnerability,” Ali Robinson, Ellucian’s director of media relations, wrote in an statement to EdScoop.

While the Education Department agreed that it had found no evidence for a link between the reported automation attacks and the Ellucian flaw, it said its investigation is ongoing.

“Through continued efforts, we are learning more about the ways cybercriminals are trying to attack institutions of higher education,” Department Press Secretary Liz Hill said in a statement. “We cannot underscore how critical it is for schools to put all available resources to protecting student data.”

Latest Podcasts