KGUN 9NewsLocal NewsTucson Metro News

Actions

Performance audit warned TUSD of cybersecurity vulnerabilties in 2018

classroom computer
Posted

In the video player: Parts of TUSD carry on without Internet following cyber attack

TUCSON, Ariz. (KGUN) — A data security breach hit Tucson Unified School District early Monday. District officials told the public they were working with cyber security professionals to investigate what happened, and how to make corrections in the future.

According to a report from the state's Auditor General in 2018, the district was warned that it "lacked adequate controls over user access to its computer network and accounting and student information systems."

Blaine Young, TUSD's Chief Operations Officer, said steps were taken at the time to follow the Auditor General's point-by-point recommendations.

The inadequacies pinpointed in the report included:

  • Weak password requirements
  • Inadequate procedures for removing network and critical systems access
  • No IT contingency plan

At the time the report was issued, TUSD reportedly did not follow standard guidance for a minimum-eight character password with varying cases and special characters, nor did it have "sufficient procedures" to remove users not currently employed by or attending TUSD.

"Auditors reviewed the District’s fiscal year 2017 user access reports and found 17 network user accounts, 13 student information system user accounts, and 41 accounting system user accounts that were linked to employees who no longer worked for the District.

At least 1 of these individuals had not worked for the District for almost 1 year. Further, auditors found 10 user accounts linked to terminated employees who had the ability to access the District’s network using a Virtual Private Network."

—2018 Performance Audit

The report also said "the District did not have a formal, up-to-date, and tested IT contingency plan even though it maintained critical student and accounting information on its network and systems."

RELATED: TUSD holds meeting following cyber-attack

Recommendations stated TUSD should develop a plan to ensure continued operations in the event of a system failure or interruption.

According to Young, TUSD's staff created a disaster recovery plan after the report was released. He says the plan was tested multiple times and is currently in use.

Young also said the district did make system changes to ensure that once a person left TUSD, their access permissions and credentials would be revoked. He says they followed guidance for strengthening password requirements.

TUSD did continue school operations following the breach, and according to Superintendent Dr. Gabriel Trujillo, the plan is to have everything running normally by the second week of February.

——
Anne Simmons is the digital executive producer for KGUN 9. Anne got her start in television while still a student at the University of Arizona. Before joining KGUN, she managed multiple public access television stations in the Bay Area and has worked as a video producer in the non-profit sector. Share your story ideas and important issues with Anne by emailing anne.simmons@kgun9.com or by connecting on Instagram, Twitter or LinkedIn.