Examining the Cyberattack on Popular Education ERP Platform

Examining the Cyberattack on Popular Education ERP Platform

Last month, Ellucian’s widely used Banner Web Tailor ERP platform for colleges that contain students’ personal and financial data was almost breached. Ellucian works with more than 2,500 institutions in more than 50 countries, helping manage student grades, staff payrolls, course schedules, admissions and student assistance. The cyberattack alert by the Education Department said an “active and ongoing exploitation” of a security flaw in the Banner system gave the hackers access to students’ grades, family finances and Social Security numbers.

“Our ongoing research with targeted institutions has led us to a broader concern regarding the front-end registration portals used by institutions. Specifically, some institutions are using third-party software as front-end access points to the Ellucian Banner System and similar administrative tools. We strongly encourage every institution to review these third-party front-end applications to ensure that they are not introducing vulnerabilities (in need of patches) or increasing the risk of a potential future issue through automation attacks,” the FSA reported.

Security Threat

According to the Education Department, the vulnerability, tracked as CVE-2019-8978, was discovered by the security expert Joshua Mulliken, it affects the authentication process used by the two modules of the ERP, including the EllucianBanner Enterprise Identity Services used to manage user accounts.

“An improper authentication vulnerability (CWE-287) was identified in Banner Web Tailor and Banner Enterprise Identity Services. This vulnerability is produced when SSO Manager is used as the authentication mechanism for Web Tailor, where this could lead to information disclosure and loss of data integrity for the impacted user(s).” reads the Security Advisory.

However, Ellucian said that too date (based on reports from targeted institutions) they have not found any instances where the Ellucian Banner System vulnerability has been exploited or is related to the issues described in the original alert. The U.S. Department of Education (Department) is continuing to work with colleges and universities to determine what impact, if any, the Ellucian Banner System vulnerability may have had.

How to Keep Your ERP Data Safe

We all know the importance of cybersecurity within any environment, whether it be an institution or workplace, is nothing to overlook.

  1. Scheduled Backups: One of the best protection methods is the simplest – schedule regular backups. Having multiple copies ensures your most important business data can’t be held to ransom. Cloud services should backup automatically, but you should still make the effort to make a physical drive too, just in case.  By backing up data on a different laptop or external hard drive, disconnected from the internet, you are 100% protected from cyber-attack.
  2. Anti-virus Software: This is another simple way to protect the data in your ERP system. Anti-virus software is the first line of defence to make sure the stringent backups are never needed. A good anti-virus solution will regularly scan your system for any known threats (and unknown threats) to expel them.
  3. Blockchain Technology: An Internet of Things (IoT) platform built of a blockchain can securely automate your factory operations. The complexity of a blockchain is what makes it incredibly secure, for a cyber-attack to be successful, the hacker would need to have access to every copy of the database simultaneously. Spreading the database across a network on multiple computers makes this an almost impossible task.
  4. Employee Education / Training: Educating your staff / employees on ransomware and how it infect a computer system is another simple prevention method. Make them aware of how important it is to be cautious about emails that are even slightly out of the ordinary because even official looking ones can be from a malicious source.

Looking for more? Download our Enterprise Resource Planning Buyers Guide for free to compare the top-24 products available on the market with full page vendor profiles, key capabilities, an ERP software market overview, our bottom line analysis, and questions for prospective buyers.

And don’t forget to follow us on TwitterFacebook and LinkedIn for all the latest in the ERP space!

Follow Liz

Elizabeth Quirk

Liz is a leading enterprise technology writer covering Enterprise Resource Planning (ERP), Business Process Management (BPM) and Talent Management Suites (TMS) at Solutions Review. She writes to bridge the gap between consumer and technical expert to help readers understand what they're looking for. Liz attended Massachusetts College of Liberal Arts, where she obtained her Bachelor of Arts Degree in English and Communications. You can reach her at equirk@solutionsreview.com
Elizabeth Quirk
Follow Liz