Lax procedures in the East Hampton School District left sensitive personal data at risk of exposure for a period of at least a year and a half, according to a report announced yesterday by the New York State Comptroller’s Office.
Among the records that could have been improperly taken were district employees’ Social Security numbers, drivers’ licenses, credit cards, and banking information, including personal identification (PIN) codes.
Student records were never at risk, according to a reading of the state report.
Following an examination that began in July 2014 and was concluded in March 2016, the comptroller’s office found that the district potentially allowed users of Invision, its financial software, access to private details that should have been protected.
According to the report, which was formally released on Friday, the results of the comptroller’s study were not initially made available “because of the sensitivity of some of this information.” Instead, they were shared confidentially with district officials.
The report found that, despite school board policy, 18 people were improperly given access to a range of information, including personnel leave and other private or sensitive records. In addition, the 18 accounts allowed users to see vendor and budget records that had nothing to do with their jobs.
Three users, including Isabel Madison, the assistant superintendent for business, were granted system administrator access, though it was not necessary for their positions. System administrators can add new users, change access rights, and adjust record entries. The district told the comptroller’s office that officials granted Ms. Madison broad access when they learned of the audit, but neglected to revoke it later.
According to the comptroller’s report, the error gave Ms. Madison the “ability to add, delete, and modify records in all functions of the financial software” and “override controls and make changes to the system that may enable her to make intentional or unintentional changes.” There is no indication that Ms. Madison acted improperly.
Ms. Madison’s access to the system administrator functions was ended after the comptroller’s office brought it to the district’s attention.
Among other problems the comptroller’s office identified was that there was no record of user account creation or changes, despite a policy requiring that those records be kept. In two instances, users were able to improperly alter their own leave records.
Access to vendor records was configured in a way that left open the chance that someone could create fictitious vendors and issue purchase orders for goods and services for their personal use, according to the report. No examples of this were identified, however.
Similarly, the comptroller’s office found that nine users, including the financial software provider, were able to make changes to vendor records. Though there was no evidence that anyone had done so, the configuration left open the possibility that inappropriate payments and budget transfers could have been made or that fake accounts could be entered in the system.
District officials told the comptroller’s auditors that the problems began after a new financial software system was installed in 2014. They explained that they had been unable to properly restrict certain access to different parts of the system without making it impossible for some staff to do their jobs.
In all, 50 district staff use the financial software system; not all of them had the wrong access rights, the comptroller’s office said.
In a response to the comptroller’s office in December, Richard Burns, the district superintendent, pledged to continue to work to correct the problems. This included revoking improper user access and appointing an independent system administrator.
“We will adhere to exactly what they recommend,” Mr. Burns said yesterday.