Found That More Than 20% of Its Unused Network User Accounts Were Not Disabled
By Hank Russell
The New York State Comptroller’s Office recently released an audit that showed that the Copiague Union Free School District’s information technology (IT) department failed to disable inactive network user accounts, and did not provide the proper software or training for its employees.
According to the report, from July 1, 2021 to October 31, 2022, the district did not disable 316 nonstudent network user accounts that were no longer needed; that accounted for 24% of all inactive accounts. Further, the district failed to ensure that employees were able to access the financial software needed to properly perform their jobs.
Of the unnecessary nonstudent network user accounts, 146 were assigned to former district employees, including two who have not worked for the district in over 17 years. Forty were assigned to former service providers, including three accounts that “could have been used to create new network user accounts and manipulate the security settings configured on the network.”
The audit went on to say, “If one of these network administrative accounts was compromised, an attacker would have the same administrative permissions as the compromised account.”
On June 29, 2021, thirty-seven temporary accounts were created for a teaching assistant training program; the accounts were never accessed. The Network Engineer said the users assigned to these accounts “were not on the premises and did not log into the network,” according to the audit.
The rest included 19 accounts for former interns and student teachers who no longer needed access; eight duplicate accounts, including two assigned to a former employee that has not been with the district in more than six years; four user accounts that were created without explanation, two of which were never accessed and two that were last used in 2016; and one which belonged to a former Board of Education Trustee who left the board in 2021.
After the auditors told the district of the unused accounts, the district disabled them. However, as it was pointed out in the audit, “District officials should have disabled the accounts as soon as they were no
longer needed, such as when the individuals left District employment or stopped providing services to the District. Because the District did not have procedures to routinely review and disable network user accounts, these accounts were not disabled and could potentially have been used by those individuals or others for malicious purposes.”
Finally, the audit found that the district did not provide its officials and employees any training on IT security awareness and data privacy. These officials and employees had access to financial information about the district and other sensitive data. According to the audit, the former IT director resigned in August 2o22 and the new IT director joined the district after the audit period ended.
The Comptroller’s Office recommended that the district disable network and financial software user accounts as soon as they are no longer used and provide periodic data privacy and IT security and awareness training to officials and employees who have access to this proprietary information.
Long Island Life & Politics reached out to the district’s IT department on March 22, but did not get a response. A district employee called on March 25 to say that someone would call back later in the day. Long Island Life & Politics called again, but did not get a response as of press time.