Hackers may have accessed sensitive student data from over 60 colleges as the result of a security flaw in Ellucian’s widely used enterprise resource planning software.
The U.S. Department of Education has warned of “active and ongoing exploitation” of a security flaw in Ellucian’s Banner system that may have given hackers access to student data such as grades, financial information and Social Security numbers.
A security alert, published Wednesday by the department’s Office of Federal Student Aid, said 62 colleges and universities using Banner had already been targeted. The alert indicates that criminals have been “scanning the internet looking for institutions to victimize” and drawing up lists of colleges to target.
Institutions that have transitioned to Banner 9, the latest version of Ellucian’s enterprise resource planning system, are not thought to be affected. But users using older versions of two Banner modules called Web Tailor and Enterprise Identity Services could be vulnerable.
According to Ellucian’s website, more than 1,400 institutions worldwide use Banner to manage student grades, staff payrolls, course schedules, admissions and student financial aid, among other tasks. Web Tailor and Enterprise Identity Services can be used by system administrators to get access to sensitive data protected under the Family Educational Rights and Privacy Act.