New York State Audit: Poor controls put Copiague schools' computer network at 'greater risk' for breaches
A recent state audit found the Copiague Union Free School District didn't exercise proper oversight over nonstudent computer network user accounts or financial software access. Credit: James Carbone
The Copiague Union Free School District didn't exercise proper oversight over nonstudent computer network user accounts or financial software access, leaving the system vulnerable to security breaches, a state audit found.
New York State Comptroller Thomas DiNapoli’s office evaluated the district’s information technology system from July 1, 2021, to Oct. 31, 2022.
The audit found the district failed to disable 316 unneeded nonstudent network user accounts, or 24% of its accounts. That included accounts for two employees who left the district more than 17 years ago.
Because of the poor system management, “data and personal, private and sensitive information” accessible by those accounts was “at a greater risk for unauthorized access, misuse or loss,” the report concluded.
Through a spokeswoman, the school district declined to comment on the audit. The district has a high school, a middle school and four elementary schools and serves 5,000 students.
The audit gave four recommendations to the district: establish written policies for managing network user accounts; ensure unneeded accounts are quickly disabled; establish a financial software system administrator who isn't involved in the district’s financial operations; and, ensure officials and employees with access to sensitive information receive annual training.
Superintendent Kathleen Bannon said in a Feb. 28 letter included in the audit that the district would address the recommendations and by July 1 would have a new network user access management process in place.
She said by year's end, the district also would implement a process to disable accounts of ex-employees within 24 hours' of their departure.
Bannon's letter added that the district introduced new network security and awareness training procedures as of Jan. 1 and also would assign a new financial software system administrator.
The audit findings, released March 20, also said the Copiague district failed to provide IT “security awareness and data privacy training” annually to those with access to “financial and other sensitive data.”
School officials also didn't have a written policy for disabling nonstudent network accounts, leading to an inconsistent process, the audit noted.
Of the 1,299 total network accounts, 146 were for former district employees. Another 40 were for former district service providers, including three that had administrative rights the report states “could have been used to … manipulate the security settings configured on the network.”
District officials disabled the old accounts after auditors notified the district of the findings, but while active they could “potentially have been used by those individuals or others for malicious purposes,” the audit noted.
The auditors found eight duplicate accounts, including two for an employee who left the district six years ago. Another account was for a former school board trustee who hadn't served in that role since 2021.
The district’s IT director during the time period examined, a person who wasn't identified by name in the findings, resigned in August 2022, according to the audit.
Auditors also reviewed access to the district’s financial software and determined an assistant superintendent, two employees in treasurer-related roles and two clerks had “more access than needed to perform their job duties and responsibilities.”
Such access could lead to actions “incompatible” with those job duties and increase the risk that “inappropriate transactions could occur and remain undetected,” the audit stated. It didn't suggest any wrongdoing on the part of those officials.
The Copiague Union Free School District didn't exercise proper oversight over nonstudent computer network user accounts or financial software access, leaving the system vulnerable to security breaches, a state audit found.
New York State Comptroller Thomas DiNapoli’s office evaluated the district’s information technology system from July 1, 2021, to Oct. 31, 2022.
The audit found the district failed to disable 316 unneeded nonstudent network user accounts, or 24% of its accounts. That included accounts for two employees who left the district more than 17 years ago.
Because of the poor system management, “data and personal, private and sensitive information” accessible by those accounts was “at a greater risk for unauthorized access, misuse or loss,” the report concluded.
Through a spokeswoman, the school district declined to comment on the audit. The district has a high school, a middle school and four elementary schools and serves 5,000 students.
The audit gave four recommendations to the district: establish written policies for managing network user accounts; ensure unneeded accounts are quickly disabled; establish a financial software system administrator who isn't involved in the district’s financial operations; and, ensure officials and employees with access to sensitive information receive annual training.
Superintendent Kathleen Bannon said in a Feb. 28 letter included in the audit that the district would address the recommendations and by July 1 would have a new network user access management process in place.
She said by year's end, the district also would implement a process to disable accounts of ex-employees within 24 hours' of their departure.
Bannon's letter added that the district introduced new network security and awareness training procedures as of Jan. 1 and also would assign a new financial software system administrator.
The audit findings, released March 20, also said the Copiague district failed to provide IT “security awareness and data privacy training” annually to those with access to “financial and other sensitive data.”
School officials also didn't have a written policy for disabling nonstudent network accounts, leading to an inconsistent process, the audit noted.
Of the 1,299 total network accounts, 146 were for former district employees. Another 40 were for former district service providers, including three that had administrative rights the report states “could have been used to … manipulate the security settings configured on the network.”
District officials disabled the old accounts after auditors notified the district of the findings, but while active they could “potentially have been used by those individuals or others for malicious purposes,” the audit noted.
The auditors found eight duplicate accounts, including two for an employee who left the district six years ago. Another account was for a former school board trustee who hadn't served in that role since 2021.
The district’s IT director during the time period examined, a person who wasn't identified by name in the findings, resigned in August 2022, according to the audit.
Auditors also reviewed access to the district’s financial software and determined an assistant superintendent, two employees in treasurer-related roles and two clerks had “more access than needed to perform their job duties and responsibilities.”
Such access could lead to actions “incompatible” with those job duties and increase the risk that “inappropriate transactions could occur and remain undetected,” the audit stated. It didn't suggest any wrongdoing on the part of those officials.
State Audit Findings
- 24% of network user accounts should have already been disabled.
- 146 of those accounts were for ex-employees, two who hadn't worked for Copiague in 17 years.
- Poor account management left the district's computer network “at greater risk” for an outside attack.
Denise Bonilla has worked at Newsday since 2003 and covers the Town of Babylon, including the villages of Lindenhurst and Amityville.
