Universities: Hackers Fake Student Accounts

Universities: Hackers Fake Student Accounts

Blog by Lawrie Abercrombie, Arcanum’s Technical Director.

Universities and cyber security are one of Arcanum’s favourite topics.  At the same time that one of my colleagues is part of a panel assessing the competency of Post and Under-Graduate Cyber Security degree courses offered by UK Universities, I’ve been having another look at Universities’ own cyber security.

As we have said before, Universities are prime targets for hackers and over the last couple of years, we have published a number of White Papers about cyber-attacks on Universities worldwide.  Much of the data that we discovered was focused on the US, simply because they have had mandatory breech reporting laws far longer than anywhere else in the world, and of course they have three times as many Universities as the whole of the EU combined.

The latest breach we’re looking at is no different in that it’s largely US centric, and for pretty much the same reasons.  Earlier this week, the US Department of Education announced that hackers have created thousands of fake student accounts which they used to commit cyber-crimes after they hacked at least 62 Universities, through a vulnerability in popular admissions and enrolment banner software made by Ellucian.  At least 600 of the fake accounts were created in the 24 hours before the alert was published on Monday. The Universities haven’t been publically named as yet and although it’s based in the US, Ellucian boasts that the application is used by over 1,400 Universities worldwide, including several in the UK.

Ellucian says that the vulnerability has now been patched.  However, it’s not clear if the patch has been rolled out across all of the Universities using the software.  Since the Department of Education’s warning adds that they have “recently received information that indicates criminal elements have been actively scanning the internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation“, patching could be a very good idea!


Lawrie Abercrombie M.Inst.IISP is Technical Director at Arcanum IS Ltd, a specialist Cyber Risk Management Consultancy working with Businesses, Government and Defence Industry.


If you are looking to improve your information security, please get in touch to organise a call or meeting. One of our NCSC certified consultants would be delighted to guide you through the measures to put in place to help secure your University.

Please give us a call on 01558 669140 or email admin@arcanum-cyber.com.

To read more University White Papers by Arcanum, click here.