During its annual cybersecurity inspection, the University of Kentucky (UK) discovered a website vulnerability that allowed an unauthorized individual to likely acquire a copy of a College of Education database. As a result of the vulnerability, UK has pledged to add additional security measures.
“The University of Kentucky has spent more than $13 million on cybersecurity in the last five years alone,” said Brian Nichols, UK’s chief information officer. “We have increased cybersecurity investments and enhanced our mitigation efforts in recent years, which enabled us to discover this incident during our annual inspection process conducted by an outside entity. Although the potential for identity theft is limited, we take this incident seriously and it is unacceptable to us. As a result, we will be taking additional measures to provide even more protection going forward. UK’s chief concern is end user privacy and protection and we are making every effort to secure end user data.”
In a press release, UK said the database did not contain financial, health, or social security information – which limits the potential of identity theft of any kind.
The vulnerability stems from a website related to the College of Education’s Digital Driver’s License program. The free resource program is used for training and test-taking used by K-12 schools and colleges in Kentucky and other states.
UK said the database contained the names and email addresses of students and teachers in Kentucky and in all 50 states and 22 foreign countries, totaling more than 355,000 individuals. UK said it has notified the impacted school districts and informed the appropriate regulatory authorities.
“We will invest whatever it takes to protect our infrastructure and systems that enable us to do so much in support of our teaching, research, and service missions,” Nichols said. “Good work by our team discovered this incident and was able to limit its impact. Now, we will take even more steps to further bolster our security as we know every major institution faces constant threat. We must be as relentless in protecting our systems as others are in attacking them.”
In a press release, UK laid out the additional security measures it will be taking:
- The server in question will be remediated and put into UK’s centralized computing and server system.
- The College of Education’s Information Technology staff will now report to the university’s central IT organization – UK Information Technology Services (UK ITS).
- The UK Internal Audit team will work with UK ITS to accelerate its planned security reviews on cybersecurity practices in colleges, units, and departments across the UK enterprise to identify cybersecurity risks for mitigation.
- Additional investments will continue to be made to enhance cybersecurity efforts at UK in the coming years.
In addition to the more immediate security measures, UK said it plans to add even more security measures in the longer term, including:
- Searching in the coming year for a new position of enterprise chief information security officer (CISO).
- Adding multi-factor authentication for all critical systems.
- Implementing next-generation firewalls at the edge of UK’s systems to mitigate potential security events.
- Instituting rapid patching of critical severity vulnerabilities for internet-facing mission critical systems.
- Adding cloud disaster recovery for myUK, the institution’s enterprise resource planning platform.
- Rolling out modern endpoint protection to combat threats such as malware, ransomware, and phishing scams.
“We know we are part of a long and ever-growing list of institutions – in both the public and private sectors – that are attacked by these bad actors,” Nichols said. “That’s why we must be ever more vigilant in the mitigation measures we deploy to protect our infrastructure and systems.”
