IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Hackers Access Data of 355K People at University of Kentucky

During an annual cybersecurity inspection, university officials discovered that hackers had exploited a vulnerability in the university’s website to access the College of Education database.

University of Kentucky.jpg
University of Kentucky
(TNS) — Limited information for more than 350,000 students and teachers was accessed through a website hack of a database at the University of Kentucky College of Education, officials announced Thursday.

UK officials said the breach was detected during an “annual cybersecurity inspection.” The compromised College of Education database, Digital Driver’s License, is a free resource used by Kentucky K-12 schools and colleges for online teaching, learning and testing.

Digital Driver’s License contained names and email addresses of more than 355,000 students and teachers in all 50 states and 22 countries. However, the hacked database did not contain financial, health or Social Security information, which makes the risk of identity theft “significantly limited,” according to Jay Blanton, UK’s chief communications officer.

“We apologize for what happened, and we are acting quickly to put in additional steps to protect the data of everyone in our community and all those we serve,” Blanton said. “We are fortunate that we discovered the issue, fixed it and then reached out to those who may be impacted to see what we could do to help. We want them to know we will be relentless in protecting these systems and their data.”

However, Blanton said the university does not believe the hackers were targeting educational records. “We know there was a breach, and that data was accessed,” he said. “However, we also suspect that these bad actors thought the data was something else, given the term Digital Drivers’ License.”

Brian Nichols, the university’s chief information officer, said the server involved did not belong to UK’s main computer system or link to other university or college systems.

“Foreign actors were able to exploit a vulnerability in a website to likely acquire a copy of the Digital Driver’s License database,” UK officials said.

University representatives said they took the server offline in June, notified the affected school districts and reported the incident to the “appropriate regulatory authorities.”

Digital Driver's License offers “online teaching and learning modules” and test-taking, including some civics exams. UK is “quickly” developing a new online system with increased security.

New security measures

UK is taking additional steps to increase security measures, Nichols said.

“Although the potential for identity theft is limited, we take this incident seriously, and it is unacceptable to us,” he said. “As a result, we will be taking additional measures to provide even more protection going forward. UK’s chief concern is end-user privacy and protection, and we are making every effort to secure end-user data.”

Those additional steps include:

— Investing an additional $1.5 million to fund cybersecurity measures; Nichols said the university has spent more than $13 million on cybersecurity in the last five years.

— Creating the position of Enterprise Chief Information Security Officer.

— Adding multi-factor authentication for “all critical systems.”

— Introducing endpoint protection against malware, ransomware and phishing scams.

UK officials said individuals can call 859-562-3098 or toll free: 833-510-0030 from 9 a.m. – 5 p.m. Monday-Friday or email with any questions.

©2021 the Lexington Herald-Leader (Lexington, Ky.). Distributed by Tribune Content Agency, LLC.