The university of Kentucky revealed that a security breach occurred during a planned pen test conducted by a third party in June.
The breach affected the Digital Driver’s License platform, which the university developed under the Open-source Tools for Instructional Support (OTIS) program in 2000s.
The DDL serves as a free online learning and test-taking platform for K-12 schools and colleges in the US. It features a variety of tools and features that allow users to take tests online.
The university discovered its DDL was breached in June after conducting penetration tests on its platforms.
The test revealed a flaw in the DDL platform, which was exploited earlier this year.
In a data breach disclosure letter sent to several US states, the university revealed that an unknown actor gained access to its database and acquired a copy of it through a bug between January 8, 2021, and February 6, 2021.
The stolen database contained data belonging to over 355,000 individuals.
“The database contained the names and email addresses of students and teachers in Kentucky and in all 50 states and 22 foreign countries, in all more than 355,000 individuals,” the university said in a press release.
The school officials are now notifying affected schools, colleges, and students.
The university has fixed the issue and is now migrating the DDL server to a centralized server system for better security.
“We know we are part of a long and ever-growing list of institutions — in both the public and private sectors — that are attacked by these bad actors,” said Brian Nichols, University of Kentucky chief information officer. “That’s why we must be ever more vigilant in the mitigation measures we deploy to protect our infrastructure and systems.”