University of Kentucky discovers data breach during scheduled pen-test
The University of Kentucky said it discovered a security breach of one of its test-taking platforms during a scheduled security penetration test carried out by a third party in early June.
The breach affected the university’s Digital Driver’s License platform, a web-based portal the university developed in the early 2000s part of an education program called Open-source Tools for Instructional Support (OTIS).
The DDL’s primary purpose is to provide free online teaching and test-taking capabilities to K-12 schools and colleges in Kentucky and other US states. The platform is also used by the university for some of its own test-taking capabilities.
The DDL breach was discovered in early June when the university carried out scheduled penetration tests of its platforms with the help of a third party.
The test uncovered a vulnerability in the DDL platform, which when the university investigated further it discovered that it had been exploited earlier in the year.
Stolen database contained data for 355,000 individuals
According to a data breach disclosure letter sent to several US states and obtained by The Record on Thursday, the university officials said the subsequent investigation discovered that an unknown threat actor used the bug between January 8, 2021, and February 6, 2021, to gain access to the DDL platform and acquire a copy of its internal database.
“The database contained the names and email addresses of students and teachers in Kentucky and in all 50 states and 22 foreign countries, in all more than 355,000 individuals,” the university said in a press release.
Stolen information included only emails and passwords, per the university’s breach notification letter. No SSNs or financial details were included.
Officials are now in the process of notifying affected schools, colleges, and students.
The university said it fixed the vulnerability and is now migrating the DDL server into its centralized server system to benefit from better protection.
“We know we are part of a long and ever-growing list of institutions — in both the public and private sectors — that are attacked by these bad actors,” said Brian Nichols, University of Kentucky chief information officer. “That’s why we must be ever more vigilant in the mitigation measures we deploy to protect our infrastructure and systems.”