ROANOKE (WSLS 10) – Information stored by the Virginia Department of Education (DOE) isn’t secure according to an audit released this week.
That information includes names, addresses and more. If your child goes to public school, you work in a Virginia school system, or if you’ve ever been licensed by the Virginia Department of Education your personal information may be at risk.
“Information is always at risk, that’s the nature of information security. The report is specifically addressing our current environment in a point of time,” said Brian Gibbs-Wilson, VA Dept. of Education Chief Information Security Officer.
Gibbs-Wilson was hired in August 2015 after security issues were pointed out by the Virginia Auditor of Public Accounts.
“Because these are classified these are ‘material weaknesses’ they are concerning,” said George Strudgeon, Audit Director with the Auditor of Public Accounts (APA). “They are fairly rare in audits.”
Strudgeon said data security issues were pointed out in previous audits and the DOE hired an information security officer to oversee plans, but there has not been a significant improvement in security. He says the APA was anticipating an improvement for but that has not happened.
The report says “Education does not upgrade certain IT software… which increases the risk that a malicious attacker will exploit these vulnerabilities, leading to a data breach.”
“I think it’s a concern for everyone for sure. That’s why I have a number of pressing questions in talking with the Department of Education over the audit report,” said Virginia Delegate Sam Rasoul when we brought the findings to him.
Rasoul said the Department of Education needs to have additional staffing and more support from the state but the DOE is responsible too.
“They [DOE] certainly need to do more. This pointed out they have work to do and I’m glad that they have an aggressive timeline of getting this situated,” said Del. Rasoul.
Gibbs-Wilson said the information they store is secure, the department has not had a breach in security and they are working on system upgrades to be compliant with state and federal law.
“We are very concerned we take information security very seriously, we take data privacy very seriously and we are addressing all of the concerns and have a plan to do so,” said Gibbs-Wilson.
The DOE plans to have the servers and software upgraded by April 1 but again want to assure everyone there haven’t been any data breaches.
The auditor’s office will do a follow-up audit next year.