Personal and sensitive information at the Copiague Union Free School District is at a greater risk for unauthorized access due to IT control weaknesses, a state audit found.

The state comptroller’s office conducted an audit of the district’s IT security and found district officials did not properly manage network user accounts and financial software access controls.

“As a result, data and personal, private and sensitive information (PPSI) accessible by those accounts were at a greater risk for unauthorized access, misuse or loss,” the audit stated.

Team 12 Investigates uncovered that the district was already a victim of an attack, one year before the audit commenced.

In November 2020, an engineer for the district noticed corrupted files. An administrator account had been hacked, impacting six critical servers.

According to a data incident report obtained by Team 12 Investigates, “patient zero” was identified as a machine used to connect with their transportation company. It took the district four days to restore systems and district officials said no sensitive data was taken.

Team 12 Investigates reviewed invoices for the cyber incident and found the breach cost them $39,981.25 for legal fees and cyber incident response services. Copiague UFSD maintains cyber insurance, which helped to offset about a third of the cyber expenses.

However, a state audit found that the district is still susceptible to unauthorized access by an attacker and is only now securing their network nearly four years later.

The audit found that the district had 316 nonstudent network user accounts that were not needed—including accounts assigned to former employees. Two of those accounts belonged to staff who left the district 17 years ago.

“Unneeded network user accounts are additional entry points into a network and, if accessed by an attacker, could be used to inappropriately access and view PPSI accessible to that account,” the audit stated.

The audit also found the Copiague UFSD did not provide IT security awareness and data privacy training to all officials and employees with access to financial and other sensitive data.

The district did not explain why those safeguards were not put into place after the 2020 cyber incident.

Superintendent of Schools Dr. Kathleen Bannon responded to the state audit by saying the “Copiague UFSD will implement procedures to review privileged and admin accounts and access at least quarterly, and regular user accounts/access at least annually.”

Dr. Bannon also stated that “Security & Awareness Training procedures have been implemented as of January 1, 2024.”

The district plans to ensure all terminated employees’ accounts and access are disabled no later than 24 hours after the initiation of a help desk ticket, which would then be immediately audited by the IT Director. All procedures outlined in their corrective action plan are expected to be implemented between June 2024 and December 2024.