Uniondale High School

Uniondale High School Credit: Newsday/Steve Pfost

The Uniondale school district did not follow through on state officials’ recommendations to purge thousands of unneeded computer network accounts, and as a result it put sensitive information at risk, state comptroller Thomas DiNapoli said in a new report.

The report did not find that hackers actually gained access to data in the district's computer system.

However, the district failed to disable nearly 3,500 unneeded accounts, including many for former employees, and it also did not evaluate all accounts to determine whether they are still necessary, despite a 2023 report by the state comptroller’s office urging it to take those precautions, the office said in a report released last month. The unneeded accounts included 12 that had administrative permissions, the comptroller’s office said.

As a result, the district had "increased risk of unauthorized access to and use of the network and potential loss of important data," Elizabeth Ryba, director of municipal audits for the comptroller’s office, said in an interview.

The new findings are based on a review that took place in October, two years after a 2023 report by the comptroller’s office recommending the increased restrictions, the comptroller’s office said. The district had explained to the comptroller’s office at the time that it transferred information to a new system and had been "playing catch-up to reconcile legacy accounts," the report stated.

Monique Darrisaw-Akil, superintendent of Uniondale schools, said Tuesday that the district has now addressed all of the recommendations the comptroller’s office made in 2023.

"There are now written procedures in place for granting, changing and disabling non-student network user account access, and the technology team follows a strict schedule for reviewing this data," she said in a statement. A new system "now automates account onboarding and offboarding for staff," and old, unnecessary accounts "have been purged," she said.

Cyberattack risk

The review in October found that the district had "partially implemented" some of the recommendations the comptroller’s office made in 2023, such as developing written procedures for granting and disabling network access and disabling certain accounts after a period of inactivity, the new report shows.

It is important for school districts and other government agencies to protect against hacking, which can lead to financial losses and exposure of sensitive information, officials with the comptroller’s office said.

Several Long Island school districts have faced cyberattacks in recent years, said Bob Vecchio, executive director of the Nassau-Suffolk School Boards Association. In 2019, the Rockville Centre district paid nearly $100,000, covered by insurance, to restore data after a ransomware virus encrypted files in several New York districts. 

"Cybersecurity has been of growing importance over the last decade," Vecchio said. 

Nick Nikiforakis, an associate professor of computer science at Stony Brook University, said in an interview that organizations should disable accounts that are no longer needed, especially administrative accounts with greater privileges.

Some organizations set up systems that automatically revoke a former employee's access while forwarding their emails to a new account that continues to be monitored, he said.

"If you have many more accounts than you need, each one of these accounts can be a point of entry for an attacker," he said. "If a home has one door that someone can use to gain access, you know you need to secure that one door. If a home has 21 doors, now suddenly you need to make sure that all 21 doors are properly locked."

 Without adequate protections, he said, "you are increasing unnecessarily the attack surface of an organization."

SUBSCRIBE

Unlimited Digital AccessOnly 25¢for 6 months

ACT NOWSALE ENDS SOON | CANCEL ANYTIME