How many school districts have had their funds hacked or otherwise illegally transferred to non-district accounts that we may never have heard about? Consider this newly released NYS Office of the Comptroller audit of Lindenhurst School District on Long Island that reports what were likely hacked accounts in 2007:
[…]
There are nine schools in operation within the District, with approximately 7,000 students and 1,500 employees. The District’s budgeted expenditures for the 2007-08 fiscal year were $127 million, which were funded primarily with State aid, real property taxes, and grants.
During July 2007, six unauthorized on-line wire transfers amounting to $601,577 were initiated that improperly transmitted money from a general fund bank account to various non-District accounts in other banks. In August 2009, we referred this matter to the Suffolk County District Attorney’s Office for further investigation. The Suffolk County District Attorney’s Office investigated this matter and found no evidence of criminal activity by District officials or employees.
The objective of our audit was to determine if the District’s internal controls over selected financial operations are appropriately designed and operating effectively for the period July 1, 2007, to June 30, 2008.
[….]
In July 2007, someone improperly transferred approximately $600,000 from a District bank account to various external bank accounts. Officers at the depository bank recognized the inappropriate nature of these transactions and took action to recover the funds. However, they were only able to recover $496,590. The District lost nearly $105,000.1 We found that the Board and District officials never investigated and determined how the unauthorized on-line wire transfers were enacted, and never informed law enforcement officials of this significant theft, because they were reportedly told that the bank had notified the Federal Bureau of Investigations. Although controls over on-line wire transfers were improved, the controls over wire transfers initiated by telephone and fax continue to be poor; therefore, the District is still susceptible to the loss of cash through unauthorized transfers.
[…]
1 The loss was reported to the District’s insurance company. In May 2008, the District received a check for $102,487 from their insurance company and $2,500 from the bank, which was the full amount of the loss.
The following comment was submitted by email:
It’s been reported that an upstate NY school district, Duanesburg, was the victim of a $3 million cyber theft in December 2009. NYS Comptroller Thomas DiNapoli announced today that a Long Island school district lost $600K due to hackers in 2007.
http://www.osc.state.ny.us/press/releases/feb10/020410.htm.
The Long Island school district didn’t discover the hack since its finance and IT “experts” didn’t regularly check bank account info. and computer system logs. The FBI is handling both cases. Although the Long Island situation was discovered by the district’s bank over two years ago, the Comptroller reported that the district still hadn’t made all necessary (and elementary) changes needed to keep its IT system particularly secure by the time he finished the audit.
Over the last few years the NYS Comptroller has audited every one of the almost 700 districts in NYS and disclosed, with great regularity, truly dismal IT security situations. Districts with budgets of over $100 million per year often have less secure systems than the average home computer user. Many Comptroller-reported problems were not fixed by the time re-audits were done – years later. And the same security lapses have been reported in the last year’s district audits as were reported when these began being audited. There’s no learning curve for the NY school district industry when it comes to information security.
What’s worse? These districts tend to use the same systems for student-related data, all of which is hackable to the nth degree.
Names, addresses, health insurance information, parents’ names and contact information, health records, social security numbers, etc. For kids who have, or are suspected of having, disabilities, these records can include physicians’ and evaluating experts’ assessments, diagnoses, treatment recommendations, school psychologists’ evaluation reports, teachers’ notes on student and parent conferences, guidance counselors’ notes. These records are a goldmine for people who want to steal districts’ money *and* for those who want to steal personally-identifiable information. These files would be a bonanza for folks who’d like to open bogus credit card accounts in the name of high school students. Then there are the records for teachers, principals, aides, custodians … .
Now for the bad news. NY’s version of regional educational co-ops, called BOCES, have been audited and reportedly have as bad IT security problems as their member districts do. Because the BOCES are supposed to be really expert, they process a tremendous amount of highly confidential data, including Medicaid claims, for their districts.
The NYS Education Department is the only entity in the State of NY which has the legal authority to make districts and BOCES implement reasonable IT security. As far as we can tell, it hasn’t, and won’t. Ever! It certainly didn’t make districts and BOCES with bad IT security-related audit findings in prior years correct them all. /Au contraire! /In fact, Comptroller audits have shown time after time that State Ed. hasn’t made districts and BOCES implement many, sometimes most, audit recommendations relating to finances either. What is the United States Department of Education doing about this? As far as we can tell, nothing. It sends states checks, but seemingly doesn’t care if the money is then stolen.
What an education.
Dee Alpert
http://www.specialeducationmuckraker.com