Data Breach Discovered During University of Kentucky’s Penetration Test
A scheduled security penetration test affected the University of Kentucky in early June. It is reported that one of the university’s test-taking platform suffered a security breach.
The university’s data breach disclosure letter mentioned of a bug being exploited by an unknown threat actor between January 8, 2021 and February 6, 2021 which allowed the hacker to access the university’s Digital Driver’s License platform and the hacker stole its internal data.
A review of the database showed that although it contained the user’s email address and password, no other personal information such as birthdates, social security numbers, or financial information was stored.
The DDL platform facilitated free online teaching and test-taking capabilities for schools and colleges in Kentucky and some other US states and was also used by the university.
The scheduled tests exposed the flaw in the DDL platform but the university quickly fixed the vulnerability and started the initial investigation with a forensic firm. The process of migrating the DDL server into University of Kentucky’s centralized server also went underway in attempts to provide better protection.
“The database contained the names and email addresses of students and teachers in Kentucky and in all 50 states and 22 foreign countries, in all more than 355,000 individuals,” the university said in a press release.
The data breach notification also said that users will have to reset their passwords the next time they login and that the university is making use of the results obtained from the investigation to “take steps to enhance the security of the database.”
Brian Nichols, University of Kentucky’s chief information officer said, “We know we are part of a long and ever-growing list of institutions—in both the public and private sectors—that are attacked by these bad actors. That’s why we must be ever more vigilant in the mitigation measures we deploy to protect our infrastructure and systems.”
