[TheRecord] University of Kentucky discovers data breach during scheduled pen-test

The University of Kentucky said it discovered a security breach of one of its test-taking platforms during a scheduled security penetration test carried out by a third party in early June.

The breach affected the university’s Digital Driver’s License platform, a web-based portal the university developed in the early 2000s part of an education program called Open-source Tools for Instructional Support (OTIS).

The DDL’s primary purpose is to provide free online teaching and test-taking capabilities to K-12 schools and colleges in Kentucky and other US states. The platform is also used by the university for some of its own test-taking capabilities.

The DDL breach was discovered in early June when the university carried out scheduled penetration tests of its platforms with the help of a third party.

The test uncovered a vulnerability in the DDL platform, which when the university investigated further it discovered that it had been exploited earlier in the year.

Stolen database contained data for 355,000 individuals

According to a data breach disclosure letter sent to several US states and obtained by The Record on Thursday, the university officials said the subsequent investigation discovered that an unknown threat actor used the bug between January 8, 2021, and February 6, 2021, to gain access to the DDL platform and acquire a copy of its internal database.

“The database contained the names and email addresses of students and teachers in Kentucky and in all 50 states and 22 foreign countries, in all more than 355,000 individuals,” the university said in a press release.

Stolen information included only emails and passwords, per the university’s breach notification letter. No SSNs or financial details were included.

Officials are now in the process of notifying affected schools, colleges, and students.

The university said it fixed the vulnerability and is now migrating the DDL server into its centralized server system to benefit from better protection.

“We know we are part of a long and ever-growing list of institutions — in both the public and private sectors — that are attacked by these bad actors,” said Brian Nichols, University of Kentucky chief information officer. “That’s why we must be ever more vigilant in the mitigation measures we deploy to protect our infrastructure and systems.”

The post University of Kentucky discovers data breach during scheduled pen-test appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2020-11-14

Schools Struggling to Stay Open Get Hit by Ransomware Attacks www.wsj.com/articles/my-information-is-out-there-hackers-escalate-ransomware-attacks-on-schools-11605279160?mod=djemalertNEWS Districts around the U.S. are fighting a wave of increasingly aggressive hackers, who are publicly posting sensitive student information. Based on searches of hackers’ sites on the dark weba network of websites accessed through special software that gives users anonymityas well as publicly known […]

Read More

[HackerNews] UBEL is the New Oscorp — Android Credential Stealing Malware Active in the Wild

All posts, HackerNews

An Android malware that was observed abusing accessibility services in the device to hijack user credentials from European banking applications has morphed into an entirely new botnet as part of a renewed campaign that began in May 2021. Italy’s CERT-AGID, in late January, disclosed details about Oscorp, a mobile malware developed to attack multiple financial targets […]

Read More

[BleepingComputer] Windows 365 – Microsoft’s new virtualized Cloud PC service

Microsoft has unveiled their greatly anticipated cloud-based Windows 365 service – a virtualized desktop service allowing businesses to deploy and stream Cloud PCs from Azure. […] Source: Read More (BleepingComputer)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.