ROANOKE (WSLS 10) – A WSLS 10 investigation leads to new information on Friday.
We first told you Thursday about personal information, including data on students and teachers, at possible risk. It’s being stored by the Virginia Department of Education (DOE) and it’s not secure according to an audit released this week.
The Virginia Department of Education was notified Friday that all 13 computer servers that needed to be upgraded were installed as of Friday morning. This is weeks ahead of what they were planning on and weeks ahead of what they told WSLS 10 when we started asking questions this week.
The Virginia Auditor of Public Accounts (APA) said software and hardware needed to be upgraded to keep personal information protected. The outdated servers have names, addresses and social security numbers of Virginia teachers and anyone who has a Virginia teaching license. Student data, such as names and some addresses is also not secure according to the audit report.
The report says “Education does not upgrade certain IT software… which increases the risk that a malicious attacker will exploit these vulnerabilities, leading to a data breach.”
“Because these are classified these are ‘material weaknesses’ they are concerning,” said George Strudgeon, Audit Director with the Auditor of Public Accounts (APA). “They are fairly rare in audits.”
Strudgeon said data security issues were pointed out in previous audits and the DOE hired an information security officer to oversee plans, but there has not been a significant improvement in security. He said the APA was anticipating an improvement for but that has not happened.
“Information is always at risk, that’s the nature of information security. The report is specifically addressing our current environment in a point of time,” said Brian Gibbs-Wilson, Virginia Department of Education Chief Information Security Officer when we asked him about the audit report.
As of Friday morning, all servers have been installed and are now being tested. The Department of Education said this now puts them on track to meet the deadline of having the new hardware and software updated by April 1.
The DOE wants to assure everyone the department has not had a breach in security.