Skip to content
ADVERTISEMENT
Sign In
  • Sections
    • News
    • Advice
    • The Review
  • Topics
    • Data
    • Diversity, Equity, & Inclusion
    • Finance & Operations
    • International
    • Leadership & Governance
    • Teaching & Learning
    • Scholarship & Research
    • Student Success
    • Technology
    • Transitions
    • The Workplace
  • Magazine
    • Current Issue
    • Special Issues
    • Podcast: College Matters from The Chronicle
  • Newsletters
  • Events
    • Virtual Events
    • Chronicle On-The-Road
    • Professional Development
  • Ask Chron
  • Store
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
  • Jobs
    • Find a Job
    • Post a Job
    • Professional Development
    • Career Resources
    • Virtual Career Fair
  • More
  • Sections
    • News
    • Advice
    • The Review
  • Topics
    • Data
    • Diversity, Equity, & Inclusion
    • Finance & Operations
    • International
    • Leadership & Governance
    • Teaching & Learning
    • Scholarship & Research
    • Student Success
    • Technology
    • Transitions
    • The Workplace
  • Magazine
    • Current Issue
    • Special Issues
    • Podcast: College Matters from The Chronicle
  • Newsletters
  • Events
    • Virtual Events
    • Chronicle On-The-Road
    • Professional Development
  • Ask Chron
  • Store
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
  • Jobs
    • Find a Job
    • Post a Job
    • Professional Development
    • Career Resources
    • Virtual Career Fair
    Upcoming Events:
    College Advising
    Serving Higher Ed
    Chronicle Festival 2025
Sign In
News

At Least 62 Colleges Were Exploited by a Software Vulnerability. Here’s What You Need to Know.

By Grace Elletson July 18, 2019
The U.S. Education Department’s Lyndon B. Johnson Building
The U.S. Education Department’s Lyndon B. Johnson BuildingCoolcaesar via Wikimedia Commons

The U.S. Education Department posted an alert late Wednesday saying that a software program used widely among higher-education institutions has a severe vulnerability that could allow users to gain access to student records.

To continue reading for FREE, please sign in.

Sign In

Or subscribe now to read with unlimited access for as low as $10/month.

Don’t have an account? Sign up now.

A free account provides you access to a limited number of free articles each month, plus newsletters, job postings, salary data, and exclusive store discounts.

Sign Up

The U.S. Education Department’s Lyndon B. Johnson Building
The U.S. Education Department’s Lyndon B. Johnson BuildingCoolcaesar via Wikimedia Commons

The U.S. Education Department posted an alert late Wednesday saying that a software program used widely among higher-education institutions has a severe vulnerability that could allow users to gain access to student records.

The program, Banner, is operated by Ellucian, a company that makes higher-education software. Banner can be used to manage student-information, financial, human-resources, and financial-aid systems, according to Ellucian’s website. The Department of Education’s Federal Student Aid office said it had identified at least 62 colleges that have been exploited through the vulnerability.

In the alert, the department said colleges had seen attackers infiltrate Banner and then create multiple student accounts in the “admissions or enrollment section of the affected Banner system.” Over the past 24 hours, department said that “at least 600 fake or fraudulent student accounts were created,” and that “some of these accounts appear to be leveraged almost immediately for criminal activity.”

The Department of Education did not reply on Thursday to The Chronicle’s questions about which colleges had been affected.

Paul E. Black, a computer scientist with the National Institute of Standards and Technology, an arm of the U.S. Department of Commerce that in May posted a description of the vulnerability, said it could cause “really big” problems. The institute, known as NIST, gave the vulnerability a base score of 8.1 out of 10, a high score, meaning that the vulnerability could have severe implications.

If a user successfully penetrated the vulnerability and gained administrative privileges, he or she could change any information in the system, including grades and course-registration schedules, according to Black. More concerning, he said, if colleges use Banner to manage their financial-aid systems and payments, a user could change addresses and banking information, potentially redirecting money to different accounts.

The vulnerability was probably identified in December 2018 by a student at the University of South Carolina, Black said. The student notified Ellucian and his university about the problem, according to a report the student uploaded to GitHub. But it wasn’t until late March that Ellucian patched the vulnerability, also according to the report.

It is unclear when or if Ellucian contacted the colleges that use Banner to notify them to patch or update their Banner systems once the vulnerability had been discovered. Ellucian sent a statement to The Chronicle but did not reply to direct questions on Thursday.

In its statement, Ellucian said the department had mistakenly stated that its Banner 8.9 version was susceptible to the vulnerability. The 8.9 version is patched; however, older versions are still vulnerable, the company said. “Only Ellucian customers with Banner Web Tailor versions 8.8.3 and 8.8.4 and Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4 or earlier, should apply the patches,” the statement read, in part.

Ellucian noted in its statement that bots’ infiltration of colleges’ information systems is an “industry issue” and not specific to Ellucian or Banner.

ADVERTISEMENT

Colleges store large quantities of personal information behind electronic walls, and breaches, or attempted breaches, are common. Monroe College, in New York, suffered an attack this month and was locked out of its website and other management systems, which were being held hostage in exchange for $2 million in Bitcoin, according to Inside Higher Ed. The college has since regained access to its systems, according to Jackie Ruegger, executive director of public affairs at Monroe.

How the Vulnerability Works

Banner’s vulnerability could be exploited through a “race condition.”

According to Black, a race condition can be best compared to a sneaky prowler trying to gain access to a locked building. Say you walk up to your apartment building’s security officer, who needs to buzz in your key card in order for your front door to swing open. When you hand over the key card, and the door opens, anyone lurking in the shadow of the door frame can head in too.

That’s how virtual prowlers have been able to get into Banner’s systems, by duplicating certain electronic cookies attached to users with administrative privileges who are attempting to log in. In other words, the hackers “race” in first, according to Black.

ADVERTISEMENT

Black also said that once the hackers enter Banner’s systems, it can be extremely difficult for colleges to distinguish what information has been changed unless the systems keep a log of all edits made. Even then, it can be difficult to sift through what was a legitimate change and what wasn’t. There can be telltale signs of foul play, of course, such as a professor who was logged in and changing a student’s grades in July from another country.

And while NIST rated the vulnerability a high 8.1, the exploitation rate is low, meaning that it’s a difficult vulnerability to abuse.

“It’s actually a lot harder to use,” Black said. “But if you do manage to get in, it’s going to be a whole bunch worse.”

Grace Elletson is an editorial intern at The Chronicle. Follow her on Twitter @graceelletson, or email her at grace.elletson@chronicle.com.

We welcome your thoughts and questions about this article. Please email the editors or submit a letter for publication.
Tags
Leadership & Governance Technology
Share
  • Twitter
  • LinkedIn
  • Facebook
  • Email
ADVERTISEMENT
ADVERTISEMENT

Related Content

Hackers Broke Into Admissions Databases at 3 Colleges — and Then Offered to Sell Applicants Their Files
Keeping Up With the Growing Threat to Data Security
Cybersecurity, Rising

More News

Vector illustration of large open scissors  with several workers in seats dangling by white lines
Iced Out
Duke Administrators Accused of Bypassing Shared-Governance Process in Offering Buyouts
Illustration showing money being funnelled into the top of a microscope.
'A New Era'
Higher-Ed Associations Pitch an Alternative to Trump’s Cap on Research Funding
Illustration showing classical columns of various heights, each turning into a stack of coins
Endowment funds
The Nation’s Wealthiest Small Colleges Just Won a Big Tax Exemption
WASHINGTON, DISTICT OF COLUMBIA, UNITED STATES - 2025/04/14: A Pro-Palestinian demonstrator holding a sign with Release Mahmud Khalil written on it, stands in front of the ICE building while joining in a protest. Pro-Palestinian demonstrators rally in front of the ICE building, demanding freedom for Mahmoud Khalil and all those targeted for speaking out against genocide in Palestine. Protesters demand an end to U.S. complicity and solidarity with the resistance in Gaza. (Photo by Probal Rashid/LightRocket via Getty Images)
Campus Activism
An Anonymous Group’s List of Purported Critics of Israel Helped Steer a U.S. Crackdown on Student Activists

From The Review

John T. Scopes as he stood before the judges stand and was sentenced, July 2025.
The Review | Essay
100 Years Ago, the Scopes Monkey Trial Discovered Academic Freedom
By John K. Wilson
Vector illustration of a suited man with a pair of scissors for a tie and an American flag button on his lapel.
The Review | Opinion
A Damaging Endowment Tax Crosses the Finish Line
By Phillip Levine
University of Virginia President Jim Ryan keeps his emotions in check during a news conference, Monday, Nov. 14, 2022 in Charlottesville. Va. Authorities say three people have been killed and two others were wounded in a shooting at the University of Virginia and a student is in custody. (AP Photo/Steve Helber)
The Review | Opinion
Jim Ryan’s Resignation Is a Warning
By Robert Zaretsky

Upcoming Events

07-31-Turbulent-Workday_assets v2_Plain.png
Keeping Your Institution Moving Forward in Turbulent Times
Ascendium_Housing_Plain.png
What It Really Takes to Serve Students’ Basic Needs: Housing
Lead With Insight
  • Explore Content
    • Latest News
    • Newsletters
    • Letters
    • Free Reports and Guides
    • Professional Development
    • Events
    • Chronicle Store
    • Chronicle Intelligence
    • Jobs in Higher Education
    • Post a Job
  • Know The Chronicle
    • About Us
    • Vision, Mission, Values
    • DEI at The Chronicle
    • Write for Us
    • Work at The Chronicle
    • Our Reporting Process
    • Advertise With Us
    • Brand Studio
    • Accessibility Statement
  • Account and Access
    • Manage Your Account
    • Manage Newsletters
    • Individual Subscriptions
    • Group and Institutional Access
    • Subscription & Account FAQ
  • Get Support
    • Contact Us
    • Reprints & Permissions
    • User Agreement
    • Terms and Conditions
    • Privacy Policy
    • California Privacy Policy
    • Do Not Sell My Personal Information
1255 23rd Street, N.W. Washington, D.C. 20037
© 2025 The Chronicle of Higher Education
The Chronicle of Higher Education is academe’s most trusted resource for independent journalism, career development, and forward-looking intelligence. Our readers lead, teach, learn, and innovate with insights from The Chronicle.
Follow Us
  • twitter
  • instagram
  • youtube
  • facebook
  • linkedin