UK/August 06, 2021/By TOM LATEK, Kentucky Today/Source: https://www.kentuckytoday.com/

An annual cybersecurity inspection by the University of Kentucky revealed a vulnerability in a website that allowed an unauthorized individual to likely acquire a copy of a College of Education database.

UK says the database did not contain financial, health or social security information, limiting the potential of identity theft of any kind.

According to Brian Nichols, UK’s Chief Information Officer, “We know we are part of a long and ever-growing list of institutions in both the public and private sectors that are attacked by these bad actors.  That’s why we must be ever more vigilant in the mitigation measures we deploy to protect our infrastructure and systems.”

Nichols noted that the server that was involved in this incident was not part of the university’s central enterprise systems, and the incident did not involve other university or college systems.  Foreign actors were able to exploit a vulnerability in a website to likely acquire a copy of the Digital Driver’s License database.

UK discovered the incident during an inspection by a third-party and took the server offline in early June to investigate further, determine what information had been potentially accessed, and to secure the server as well as take other appropriate measures.

The database in question contained the Digital Driver’s License, which is part of a longstanding UK College of Education program called Open-source Tools for Instructional Support, or OTIS.  It is a free resource to schools and colleges that provides online teaching and learning modules.  In recent years, the Digital Driver’s License also has been the portal where Kentucky students take required civics tests.

Through the Digital Driver’s License, OTIS provides automatic scoring for students taking the exam.  UK worked with outside consultants to investigate the incident and determine what potential data had been acquired.  No other OTIS databases were involved, and UK officials are working quickly to ensure that the new OTIS system, with increased security measures, is available to teachers and students.

Nichols says UK has spent over $13 million on cybersecurity in last five years alone.  “We have increased cybersecurity investments and enhanced our mitigation efforts, which enabled us to discover this incident during our annual inspection process conducted by an outside entity.  Although the potential for identity theft is limited, we take this incident seriously and it is unacceptable to us.  As a result, we will be taking additional measures to provide even more protection going forward. UK‘s chief concern is end user privacy and protection and we are making every effort to secure end user data.”

Source: https://www.kentuckytoday.com/stories/uk-college-of-education-database-hacked,33511?