The Education Department "has not taken the fundamental steps or improved the technical controls needed to secure its own critical systems," the auditors said.
Auditors also went to four school districts and scanned their systems for vulnerabilities. What they found was so concerning that the districts took immediate action, they said.
Such scans are required at every school district, but the state Education Department hasn't made sure districts comply, according to the audit.
Three other school districts visited by auditors — out of 16 districts — did not hold any data privacy and security awareness training for employees. Those trainings help prevent cyber attacks and ransomware that trick employees into letting a virus into the system.
"The state Education Department and school districts had a responsibility to strengthen and protect student data and systems well before the pandemic," said Tina Kim, deputy comptroller with the State Government Accountability division of the comptroller. "But remote learning increased reliance on IT services, apps and third-party programs and it's clear schools were not prepared for the heightened cyber risks."
From March 2020 to April 2021, school districts reported 131 incidents in which data was accessed without permission. (Not all of them were cyber attacks. Some could have been genuine mistakes, auditors noted.) But they have continued to rise since then.
"Cyber security incidents at New York's schools more than tripled over the last three years, resulting in personal information of students, families or teachers being compromised," Kim said. "Whether through human error, data breaches or costly ransomware attacks, when personal information is on the internet, it is at risk for identity theft and other types of fraud."
Nationally, cyber attacks impacted 1.2 million students in 2020, up from 39,000 students in 2019, according to a U.S. Government Accountability Office report. In November, Albany school officials cut off the internet for days to stop an attack.
"It is, therefore, more important than ever to ensure that schools have secure systems that protect the safety and privacy of students and their data," the audit said.
When districts discover that data was accessed, they may not always tell the affected people, the audit found.
Out of the 131 incidents reported in March 2020 through April 2021, 55 were missing one of the required dates: date of incident, date of discovery or date of notification of affected parties.
Education Department officials "did not always follow up with school districts to determine if affected parties were notified," the audit said.
In a response to the findings, the Education Department said it was not monitoring school districts to make sure they were keeping data safe because the department had other priorities and vacancies in its Privacy Office.
The Education Department agreed to start monitoring in the second half of 2023.
In addition, the Education Department began working on tightening its own systems. The audit highlighted a problem that was noted in a 2017 audit and in a follow-up review in 2018. The department had not classified all of its data in order of sensitivity, so that student data received the correct security.
The Education Department said the turnover of executive staff in its Information Security Office slowed data classification. In response to the audit, they contracted with the nonprofit New York State Technology Enterprise Corp. and said they would finish the job by February 2023. No one was able to confirm whether that happened, but the comptroller's office said they do not believe it is finished yet.
A lack of classification also makes it harder to know what was taken in an attack.
"In the case of an information security incident, the department may be unable to identify in a timely manner what, if any, sensitive and/or critical data was involved and may be compromised," the audit said.
© 2023 the Times Union (Albany, N.Y.). Distributed by Tribune Content Agency, LLC.