The University of Kentucky has sent out a letter disclosing a data breach impacting some 355,000 individuals.

UK discovered the issue during an annual cybersecurity penetration test. The breach occurred in June 2021, impacting the College of Education database, part of the university’s Digital Driver License (DDL) platform. The DDL is used by K-12 schools and other colleges, both in and outside of Kentucky, for online training and test-taking.

UK says the database contained usernames (usually a person’s email) and passwords for some 355,000 individuals, although the university says it contained no other personal information, minimizing potential identity theft concerns.

“The University of Kentucky has spent more than $13 million on cybersecurity in last five years alone,” said Brian Nichols, UK’s chief information officer. “We have increased cybersecurity investments and enhanced our mitigation efforts in recent years, which enabled us to discover this incident during our annual inspection process conducted by an outside entity. Although the potential for identity theft is limited, we take this incident seriously and it is unacceptable to us. As a result, we will be taking additional measures to provide even more protection going forward. UK’s chief concern is end user privacy and protection and we are making every effort to secure end user data.”

You can read UK’s full disclosure letter, contributed by The Record, here.

The DDL’s primary purpose is to provide free online teaching and test-taking capabilities to K-12 schools and colleges in Kentucky and other US states. The platform is also used by the university for some of its own test-taking capabilities.

The DDL breach was discovered in early June when the university carried out scheduled penetration tests of its platforms with the help of a third party.

The test uncovered a vulnerability in the DDL platform, which when the university investigated further it discovered that it had been exploited earlier in the year.