A legislative watchdog agency says it found widespread security weaknesses in the state Department of Education’s computer systems, including flaws that left Social Security numbers and other sensitive data on students and teachers potentially vulnerable.
The weaknesses could allow hackers to view sensitive information and to obtain access to users’ accounts, the Auditor General’s Office said in a performance audit on the department’s information management systems.
“However, auditors found no indication that the security weaknesses identified have yet been exploited or that sensitive information has been compromised,” the report stated.
The report called for new security checks and a strong effort throughout the department to improve its information systems.
The department said state Superintendent of Public Instruction Tom Horne appointed a new chief information officer last year and has since launched a comprehensive reform plan to close security gaps, improve the systems’ accuracy and make other upgrades.
The department also said it would ask the Legislature for additional dollars to bolster the department’s information-security staff.
“We’re well on our way with the changes, and the (Information Technology) staff has embraced the new vision,” the department said in a formal response to the audit.
Many of the department’s Web-based applications are available over the Internet, with thousands of users having accounts.
The systems are used for a variety of purposes, ranging from teacher certification to tracking student attendance that is used to allocate state funding to school districts and charter schools.
Confidential information kept on the department’s computer systems includes teachers’ names, birth dates and Social Security numbers and students’ names and birth dates, the audit report noted.
Many of the security flaws have been noted previously but the audit found that only some of them had been fixed.
The weaknesses related to such things as password management, lack of security updates and absence of effective monitoring systems to detect attacks or unauthorized use, the audit report said. “While ADE keeps access logs, it reports that it does not routinely review the logs to identity unauthorized or abnormal events.”
The audit also cited accuracy concerns regarding the Student Accountability Information System. The system tracks student attendance and school financial data. New automated controls need to be added to help check the accuracy of data in the system, the report said.
Copyright 2006 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.