A legislative watchdog agency says it found widespread security weaknesses in the state Department of Education’s computer systems.
That included flaws that left Social Security numbers and other sensitive data on students and teachers potentially vulnerable.
The weaknesses could allow hackers to view sensitive information and obtain access to users’ accounts, the Auditor General’s Office said in a performance audit on the department’s information management systems.
“However, auditors found no indication that the security weaknesses identified have yet been exploited or that sensitive information has been compromised,” the report stated.
The report called for new security checks and a strong effort throughout the department to improve its information systems.
The department said state Superintendent of Public Instruction Tom Horne appointed a chief information officer last year and has since launched a comprehensive reform plan to close security gaps, improve the systems’ accuracy and make other upgrades.
The department also said it would ask the Legislature for additional dollars to bolster the department’s information-security staff.
“We’re well on our way with the changes, and the (information technology) staff has embraced the new vision,” the department said in a formal response to the audit.
Many of the department’s Web-based applications are available over the Internet, with thousands of users having accounts.
The systems are used for a variety of purposes, ranging from teacher certification to tracking student attendance that is used to allocate state funding to school districts and charter schools.
Confidential information kept on the department’s computer systems include teachers’ names, birth dates and Social Security numbers and students’ names and birth dates, the audit report noted.
Many of the security flaws were noted previously, but the audit found that just some problems were solved, the department said.
The weaknesses related to such areas as password management, lack of security updates and absence of effective monitoring systems to detect attacks or unauthorized use, the audit report said.
“While ADE keeps access logs, it reports that it does not routinely review the logs to identity unauthorized or abnormal events,” the report said
The audit cited accuracy concerns regarding the student accountability information system. The system tracks student attendance and school financial data.