A data breach at the University of Kentucky has exposed the personal information of its students and staff.
Uncovered by an annual cybersecurity inspection, the breach was caused by a vulnerability in a server associated with the university’s College of Education database.
The database did not include financial, health or social security information, but contained the names and email addresses of students and teachers in Kentucky and in all 50 states and 22 foreign countries.
In a statement, University of Kentucky’s chief information officer, Brian Nichols explained that the database “is part of a free resource program known as the Digital Driver’s License for training and test-taking used by K-12 schools and colleges in Kentucky and other states.”
University officials have notified the impacted school districts and informed the appropriate legal and regulatory authorities.
The university said it has invested more than $13 million on cybersecurity in the last 5 years alone. To prevent any future breaches the University of Kentucky’s Information Technology Services will be investing an additional $1.5m to fund its cybersecurity measures.
Other upcoming and recent cybersecurity measures include:
- The creation of a new Enterprise Chief Information Security Officer (CISO);
- Adding multi-factor authentication for all critical systems, including VPN and email;
- Instituting rapid patching of critical severity vulnerabilities for internet-facing mission critical systems.