ALBANY — Student data, including names, birth dates and addresses, are not always kept secure by school districts or the state Education Department, the state Comptroller’s Office found in an audit issued Tuesday.
The Education Department “has not taken the fundamental steps or improved the technical controls needed to secure its own critical systems,” the auditors said.
Auditors also went to four school districts and scanned their systems for vulnerabilities. What they found was so concerning that the districts took immediate action, they said.
Such scans are required at every school district, but the state Education Department hasn’t made sure districts comply, according to the audit.
Three other school districts visited by auditors — out of 16 districts — did not hold any data privacy and security awareness training for employees. Those trainings help prevent cyber attacks and ransomware that trick employees into letting a virus into the system.
“The State Education Department and school districts had a responsibility to strengthen and protect student data and systems well before the pandemic,” said Tina Kim, deputy comptroller of State Government Accountability. “But remote learning increased reliance on IT services, apps and third-party programs and it’s clear schools were not prepared for the heightened cyber risks.”
From March 2020 to April 2021, school districts reported 131 incidents in which data was accessed without permission. (Not all of them were cyber attacks. Some could have been genuine mistakes, auditors noted.) But they have continued to rise since then.
“Cyber security incidents at New York’s schools more than tripled over the last three years, resulting in personal information of students, families or teachers being compromised,” Kim said. “Whether through human error, data…
Read the full article here
Leave a Reply