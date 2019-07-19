Dive Brief:

Hackers breached the sensitive student data of 62 colleges by taking advantage of a security flaw in Ellucian's popular Banner system, the U.S. Department of Education announced this week .

Over the course of several days, attackers used the security flaw to create thousands of fake student accounts, some of which "appear to be leveraged almost immediately for criminal activity," the Ed Department said.

Ellucian issued patches for the issue in mid-May. The security flaw and the creation of fake student applications are unrelated issues, and the latter is an "industry issue," said Josh Sosnin, the company's chief information security officer, in a statement.

Dive Insight:

The security flaw was found in previous versions of Banner software that colleges use to design web applications and authenticate users.

Hackers used the security flaw to take over users' sessions when they tried to log in and may have been able to access sensitive student data, according to the National Institute of Standards and Technology. The Ed Department noted on its website that the security breach may have also given hackers access to the agency's student financial aid data; it did not return a request for further comment.

It's not clear how many institutions are still using the older versions of the software, but more than 1,400 colleges use Banner for a variety of services, including for managing student information, employee benefits and financial aid.

An Ellucian spokesperson didn't say how or when the vulnerability was discovered. However, a GitHub post suggests a University of South Carolina student worker may have found and reported the issue to the company in December.

Colleges — which house intellectual property, student data and financial information — have long been a target for cybersecurity attacks. And those that fail to keep their systems up to date are especially at risk, said cybersecurity expert Russell Schrader in an interview with Education Dive last year. At the time, Schrader was executive director of the National Cyber Security Alliance.

"It's not sexy to sit around and update your operating system, but it's the best way to make sure you're not opening your institution up to attacks that have already been solved," he said.

Brian Kelly, director of the cybersecurity program at Educause, told Education Dive in an email that "broad-based institutional participation" is critical to protecting sensitive data. "Because cybersecurity threats can target multiple points of entry in an institution, (it) is important for all campus members to know basic information security protections to safeguard data and prevent those data from being mishandled," Kelly wrote.

Tight budgets could make it hard for some colleges to shore up their defenses as cyberattacks grow more complex, Moody's analysts wrote in a report earlier this year.

That's contributed to an "upward trend" in attacks; U.S. institutions had 101 data disclosures in 2017, up from 15 in 2014, the analysts notes.

This week, a hacker brought down Monroe College's website and demanded $2 million in Bitcoin to restore the for-profit institution's system, the New York Daily News reported.

Earlier this year, hackers gained access to admissions files from Grinnell, Hamilton and Oberlin colleges. The hackers told students they could buy their applicant files, including their interview reports and comments from the admissions offers, for nearly $4,000 in Bitcoin, The Wall Street Journal reported.