UK Cyber Inspection Detects Breach, Initiates Additional Security Measures

LEXINGTON, Ky. (Aug. 5, 2021) — An annual cybersecurity inspection by the University of Kentucky recently revealed a vulnerability in a website that allowed an unauthorized individual to likely acquire a copy of a College of Education database. The database did not contain financial, health or social security information, limiting the potential of identity theft of any kind.

Although UK has increased cybersecurity over the last five years, and the incident was detected, UK will add additional security measures.

The database is part of a free resource program known as the Digital Driver’s License for training and test-taking used by K-12 schools and colleges in Kentucky and other states.

The database contained the names and email addresses of students and teachers in Kentucky and in all 50 states and 22 foreign countries, in all more than 355,000 individuals. UK officials have notified the impacted school districts and informed the appropriate regulatory authorities.

“The University of Kentucky has spent more than $13 million on cybersecurity in last five years alone,” said Brian Nichols, UK’s chief information officer. “We have increased cybersecurity investments and enhanced our mitigation efforts in recent years, which enabled us to discover this incident during our annual inspection process conducted by an outside entity. Although the potential for identity theft is limited, we take this incident seriously and it is unacceptable to us. As a result, we will be taking additional measures to provide even more protection going forward. UK's chief concern is end user privacy and protection and we are making every effort to secure end user data.”

What UK is doing

Additional security measures being taken include:

• The server in question will be remediated and put into UK’s centralized computing and server system.
• The college’s Information Technology staff will report into the university’s central IT organization — UK Information Technology Services (UK ITS).
• UK Internal Audit, in collaboration with UK ITS, will accelerate its planned security reviews on cybersecurity practices in colleges, units and departments across the UK enterprise to identify cybersecurity risks for mitigation.
• Additional investments will continue to be made to enhance cybersecurity efforts at UK in the coming years.

These new measures, Nichols said, will be on top of significant investments in cybersecurity in recent years at UK of more than $13 million. In fact, in UK’s recently approved budget for 2021-2022, UK ITS will invest more than $1.5 million in additional funding in cybersecurity measures. Recent and upcoming measures include:

• Search in the coming year for a new position of enterprise chief information security officer (CISO).
• Adding multi-factor authentication for all critical systems.
• Implementing next-generation firewalls at the edge of UK’s systems to mitigate potential security events.
• Instituting rapid patching of critical severity vulnerabilities for internet-facing mission critical systems.
• Adding cloud disaster recovery for myUK, the institution’s enterprise resource planning platform.
• Rolling out modern endpoint protection to combat threats such as malware, ransomware, and phishing scams.

“We know we are part of a long and ever-growing list of institutions — in both the public and private sectors — that are attacked by these bad actors,” Nichols said. “That’s why we must be ever more vigilant in the mitigation measures we deploy to protect our infrastructure and systems.”

What happened

Nichols noted that the server that was involved in this incident was not part of the university’s central enterprise systems, and the incident did not involve other university or college systems. Foreign actors were able to exploit a vulnerability in a website to likely acquire a copy of the Digital Driver’s License database. UK discovered the incident during an inspection by a third-party and took the server offline in early June to investigate further, determine what information had been potentially accessed and to secure the server as well as take other appropriate measures. 

The database in question contained the Digital Driver’s License, which is part of a longstanding UK College of Education program called Open-source Tools for Instructional Support (OTIS). It is a free resource to schools and colleges that provides online teaching and learning modules. In recent years, the Digital Driver’s License also has been the portal where Kentucky students take required civics tests. Through the Digital Driver’s License, OTIS provides automatic scoring for students taking the exam. UK worked with outside consultants to investigate the incident and determine what limited data had been potentially acquired. Other databases within OTIS were not involved. UK officials are working quickly to ensure that the new OTIS system with increased security measures is available to teachers and students.

“We will invest whatever it takes to protect our infrastructure and systems that enable us to do so much in support of our teaching, research and service missions,” Nichols said. “Good work by our team discovered this incident and was able to limit its impact. Now, we will take even more steps to further bolster our security as we know every major institution faces constant threat. We must be as relentless in protecting our systems as others are in attacking them.”

Any questions can be directed to 859-562-3098 or toll free: 833-510-0030 from 9 a.m.–5 p.m. Monday-Friday or cyberresponse@uky.edu

Individuals can also visit here for more information.