Security Update for ProctorU Clients

Last Updated: September 21, 2020

This page provides information about a data security incident that resulted in unauthorized access to high-level information about certain ProctorU registered users.

We are pleased to report that our forensic investigation led by leading third-party experts has concluded, and found no evidence of further unauthorized access to high-level information about ProctorU’s registered users. We are also confident that, based on frequent systems monitoring reports, there is no ongoing threat to ProctorU’s systems. After collaborating with leading third-party experts to remediate this incident, we have worked diligently to implement additional cybersecurity safeguards to further secure ProctorU’s systems.

ProctorU remains committed to protecting its customers’ data and takes this incident very seriously.

This was a sophisticated attack, and we have worked as quickly as possible to obtain accurate and complete information to share with you. We continue to be your partner through this incident and have a dedicated team that we have established to answer any additional questions you may have.

Frequently Asked Questions (FAQs)

What happened?

On July 27, 2020, we became aware that information purporting to come from ProctorU.com was posted to an online message board. That same day, a report identified ProctorU as one of seven companies impacted by a coordinated cyberattack.

ProctorU immediately investigated, and confirmed that historic registration data collected by ProctorU prior to March 2015 appeared to have been acquired and posted by an unauthorized user. ProctorU immediately took steps to contain the incident and retained leading third-party forensic experts to assist in its investigation.

This investigation has concluded, and found no evidence of further, unauthorized access to information about ProctorU’s registered users.

When did the incident occur?

Based on the results of our investigation, we believe the incident occurred on June 26, 2020.

Have you finished the investigation?

We are pleased to report that our investigation led by leading third-party experts has concluded, and found no evidence of further unauthorized access to high-level information about ProctorU’s registered users. We are also confident that, based on frequent systems monitoring reports, there is no ongoing threat to ProctorU’s systems. After collaborating with leading third-party experts to remediate this incident, we have worked diligently to implement additional cybersecurity safeguards to further secure ProctorU’s systems.

What data about ProctorU users was obtained as a result of the incident?

The posted data was comprised of high-level directory information entered by users during ProctorU’s registration process, such as name, address, country, phone and email. Passwords for the user accounts were not disclosed in the data set, although a hashed and salted value was included.

If my institution provided ProctorU data after March 2015, was any of my institution’s data affected in this incident?

Based on the results of our investigation, the data was historic in nature and only encompassed data provided to us prior to March 2015.

My institution was not associated with ProctorU prior to March 2015; why did I still receive a notice about this incident?

Some test-takers in the data set registered with us prior to March 2015 and associated themselves with one institution and at some point after March 2015 changed their association to a different institution.

For example, a student may have been an undergraduate at an institution in 2014 and registered with ProctorU to take a final college exam. The student then graduated and went to law school at a different institution and changed their ProctorU registration information to reflect their new institution for purposes of taking a law school exam in 2016. If the student’s information was included in the historic registration data that was posted online, that data that was posted online only shows the undergraduate institution that student was associated with in 2014. However, we mailed notices to institutions who were associated with affected test-takers after March 2015, like the law school in the above example, so that those institutions would be informed about the incident and prepared to respond to any test-taker inquiries.

We also notified institutions when a user changed the email address associated with their ProctorU account to an email domain affiliated with an institution. For instance, in the example above, if the student did not change their institution selection in their ProctorU account, but merely changed their contact email address in their account from student@college.com to student@lawschool.com, both institutions would receive a notice about the incident even though student@college.com would be the only email address disclosed in the data set posted online.

How was the data obtained?

The investigation revealed that a known hacker group obtained historic user data and posted it online.  There is no evidence that the hacker group obtained unauthorized access to any other systems or unauthorized access to any other information about ProctorU’s registered users.

What has ProctorU done to enhance its security protections since this incident?

ProctorU deployed the following security measures immediately following the discovery of the incident:

  • The testing environment that was compromised was shut down.
  • All passwords were reset for all ProctorU online user accounts that were affected.
  • The complexity requirements for all user passwords were increased
  • All internal user permissions were revoked and re-established on a case by case basis.
  • Supplemental cybersecurity training is being implemented for personnel.
Has ProctorU notified affected individual users?

ProctorU has notified all affected institutions and has notified certain individual users with an administrative role in their institutions. ProctorU has not notified individual test-taker users and will collaborate with its partners to determine whether such notice is desired.