Data Breach at University of Kentucky

A data breach at the University of Kentucky has exposed the personal information of hundreds of thousands of students and staff.

An annual cybersecurity inspection uncovered the breach, which was caused by a vulnerability in a server associated with the university's College of Education database. 

News source WDRB reported that more than 355,000 email addresses were exposed in the security incident, with victims located across the world. 

"The database is part of a free resource program known as the Digital Driver’s License for training and test-taking used by K-12 schools and colleges in Kentucky and other states," said the University of Kentucky's chief information officer, Brian Nichols, in a statement.

The academic institution said that the names and email addresses included in the database were not limited to students and teachers based in Kentucky. The university revealed that the database also included personal information belonging to students and teachers "in all 50 states and 22 foreign countries."

The university stated: "The database did not contain financial, health or Social Security information, limiting the potential of identity theft of any kind."

University officials said that they have notified the school districts impacted by the data breach and informed the appropriate legal and regulatory authorities. 

The university said that it has invested $13m in cybersecurity over the past five years. To prevent a similar incident from occurring, the University of Kentucky's Information Technology Services will be investing an additional $1.5m to fund cybersecurity measures. 

Among the measures announced by the university are the addition of multi-factor authentication for all critical systems, including email and VPN, and the creation of a new enterprise chief information security officer (CISO) position.

The university said it will also be "implementing next-generation firewalls at the edge of UK’s systems to mitigate potential security events" and taking steps to ensure that critical severity vulnerabilities affecting internet-facing mission-critical systems are patched rapidly. 

A further safety measure that will be rolled out is the automated deprovisioning of accounts for students and employees who have left the university.

What’s Hot on Infosecurity Magazine?