DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Audits of New York schools and the State Education Department reveal ongoing significant concerns

Posted on September 24, 2023 by Dissent

In May, the NYS Comptroller’s Office released an audit conducted to determine if the New York State Education Department (SED) consistently follows all laws and regulations regarding the safety and privacy of students’ data, and whether SED is properly monitoring school districts to ensure they are complying with the legislation and regulations that govern data privacy and security.

The audit of the SED covered the period from March 2020 through November 2022, and the key findings from that audit were:

  • The Department did not provide adequate oversight of school districts’ compliance with the notification requirements for data incidents.
  • The Department did not provide sufficient oversight of school districts’ compliance with other key requirements of Part 121.
  • The Department has not completed a data classification for all the types of information it manages, processes, or stores, some of which contain student PII.
  • We identified weaknesses in technical controls that need to be corrected to ensure the selected Department and school district information systems and their associated data are not at risk.

So to put it less diplomatically, districts weren’t in compliance and the state wasn’t really providing the needed oversight of certain requirements.

That was an audit of the SED. There was also an audit of the Office of Information Technology Services released in May 2023 that attempted to determine whether the Office of Information Technology Services has security controls in place to ensure appropriate management and monitoring of its Active Directory environment. The audit covered the period from January 2021 through March 2023. From the summary of key findings:

Generally, we determined ITS did not have certain security controls in place according to several ITS policies and standards to ensure appropriate management and monitoring of its Active Directory environment. Due to the confidential nature of our audit findings, we communicated the details of these findings with six recommendations in a separate, confidential report to ITS officials for their review and comment.

Access the full audit report.

Now let’s take a few minutes to get caught up with audits of the school districts themselves. The following are snippets from audits released by Comptroller DiNapoli’s office in 2023 that looked at data security, ITsec, and/or privacy of student data:

Montauk Union Free School District – January 2023.  “Since 2013-14, external auditors have annually recommended that the District develop an IT contingency plan. However, the District never developed the plan and could not provide a reasonable explanation for failing to do so.”

Young Women’s College Prep Charter School of Rochester – January 2023. “School officials did not ensure that network and financial software access controls were adequate. As a result, data and personal, private and sensitive information (PPSI) are at greater risk for unauthorized access, misuse or loss.”

Orange Ulster Board of Cooperative Educational Services – January 2023. “BOCES officials did not establish adequate internal controls over network user accounts to help prevent unauthorized use, access and loss.”

Discovery Charter School – February 2023. “School officials did not ensure that network and financial software access controls were adequate. As a result, data and personal, private and sensitive information (PPSI) are at greater risk for unauthorized access, misuse, or loss.”

Eastchester Union Free School District – March 2023. “District officials did not establish adequate controls over user accounts to help prevent unauthorized use, access and loss nor did they establish an adequate IT contingency plan.” As one finding for the audit period between June 2020 and August 2021, the auditors found “unneeded network user accounts, including 181 for students no longer in the District. These students left the District between June 2020 and August 2021.”

Oceanside Union Free School District – March 2023. “Six of 40 employees used District computers to access websites, such as shopping, entertainment, personal email, online gaming and social networking, in violation of the District’s AUP. Internet browsing increases the likelihood that users will be exposed to malicious software that may compromise data confidentiality, integrity or availability.”

Bayport-Blue Point Union Free School District – April 2023. “District officials did not establish adequate network controls for nonstudent user accounts to help prevent unauthorized access. As a result, the District has an increased risk of unauthorized access to and use of the District network and potential loss of important data.”

North Salem Central School District – June 2023.”District officials did not ensure network user accounts were adequately managed…. District officials should have ensured IT staff disabled 181 unneeded network user accounts. Seven of these users left the District between 2011 and 2019.”

Hilton Central School District – June 2023. “In addition to sensitive network access control weaknesses that we confidentially communicated to officials, we found that… The District had 230 unneeded enabled network user accounts, including those for former students, former employees and others who were no longer providing services to the District.”

Amherst Central School District – June 2023. “District officials did not adequately secure user account access to the network or properly manage user accounts and permissions in financial and student information applications….. As many as 1,570 accounts were unneeded but were not disabled… Four accounts had unnecessary network administrative access.”

East Williston Union Free School District – June 2023. For the audit period ending January 11, 2022, the auditors found “District officials did not adequately manage and monitor nonstudent network user accounts to help prevent unauthorized use, access and loss….  222 of the enabled nonstudent network user accounts (32 percent) were not needed or disabled. Most of these accounts should have been disabled in February 2021.”

Chenango Valley Central School District – June 2023. “In addition to finding sensitive IT control weaknesses, which we communicated confidentially to officials, we found that sixty-eight, or 12 percent, of the District’s nonstudent network user accounts were no longer needed.”

West Hempstead Union Free School District – July 2023. “District officials did not establish adequate controls over nonstudent network user accounts to help prevent unauthorized use, access and loss. Officials did not disable 60 of the District’s enabled nonstudent network accounts (11 percent) that were not needed. Twenty-two of these accounts (37 percent) have not been used in more than five years, with the oldest being last used more than 10 years ago.”

Ulster Board of Cooperative Educational Services – August 2023. “BOCES officials did not adequately manage and monitor network user accounts to help prevent unauthorized use, access, or loss…. Officials did not disable 17 unneeded network user accounts, including seven former employee accounts and 10 accounts not used by active employees, that had last log on dates ranging from November 2016 to December 2021. Officials did not review and disable 76 potentially unneeded user accounts, including 34 shared accounts, 31 service accounts, eight vendor accounts and three service accounts.”

Hicksville Union Free School District – September 2023. “District officials did not properly manage network user account controls to help maintain continuity of business office operations and prevent unauthorized computer use, access and loss. Officials also did not establish written procedures for granting, verifying, changing and disabling network user account access, including business office network user account access.”

Kiryas Joel Village Union Free School District – September 2023. “District officials did not adequately secure user account access to the network and shared network folders to help safeguard PPSI….  Officials did not disable 35 unnecessary former employee, shared and service network user accounts which account for 11 percent of the District’s enabled accounts. The majority of these accounts belonged to former employees and were last used to log into the network between June 2015 and August 2022. They also did not adequately secure shared network folder access, resulting in users having unnecessary access to multiple forms of PPSI in eight shared folders.”

Comment

DataBreaches first started covering audits of the NY State Education Department and school districts in 2010.  The results were dismal then, and they continue to be dismal. There is no need to wonder why school districts are the victims of so many cyberattacks when they are sitting ducks without adequate resources and expertise to properly secure personal and sensitive data of employees and students, and the state isn’t all over them to get them into compliance.

It is September of 2023 and there has been no NYS comptroller’s audit of the NYC Education Department IT security since… 2004? And if you look at the NYC Comptroller’s Office to see their audits in the education, guess what you won’t find there, either?

There has been increasing awareness of the need to monitor vendors and other security issues affecting the privacy and security of student (and employee data), but where are the serious audits of the city’s infosecurity programs and controls?  When will those audits be conducted and released? And when will SED really ensure that districts comply with privacy and security laws and regulations?

 

 

 

 

 

 

 

 

Category: Commentaries and AnalysesEducation SectorOf NoteU.S.

Post navigation

← Hillsborough County Public Schools alert parents to August cyberattack, data breach
Personal data of 25,000 Hongkongers at risk after cyberattack against consumer watchdog, up from earlier estimate of 8,000 →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Private Industry Notification: Silent Ransom Group Targeting Law Firms
  • Data Breach Lawsuits Against Chord Specialty Dental Partners Consolidated
  • PA: York County alerts residents of potential data breach
  • FTC Finalizes Order with GoDaddy over Data Security Failures
  • Hacker steals $223 million in Cetus Protocol cryptocurrency heist
  • Operation ENDGAME strikes again: the ransomware kill chain broken at its source
  • Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials
  • Mysterious hacking group Careto was run by the Spanish government, sources say
  • 16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide
  • Russian national and leader of Qakbot malware conspiracy indicted in long-running global ransomware scheme

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says
  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law
  • Telegram Gave Authorities Data on More than 20,000 Users
  • Police secretly monitored New Orleans with facial recognition cameras

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.