Audit says Park Hill School District has taken good steps since security breach

Last week the Missouri State Auditor’s office released the results of its cyber security audit of the Park Hill School District, prompted by a data breach in 2014.

The audit, which is part of a series of Cyber Aware school audits held around the state, was conducted earlier this year and has been anticipated for some time. According to the audit report, auditors found that Park Hill officials have taken numerous steps to increase safeguards after the 2014 incident. 

“Schools store critical information about students and their families, and Park Hill officials clearly understand how essential it is to keep that data safe,” Auditor Nicole Galloway said in a statement released Thursday, Sept. 8. “The district has taken action to guard against the kind of breach we all hope never happens, and my team made additional recommendations to help them prepare.”

The report states, in part, that, “Auditors identified areas where improvements are needed but also found the district has developed certain controls to establish a safe environment for using technology, including promoting online safety, security and confidentiality.”

Auditors found that more could be done to limit unnecessary access to student data. 

For example, auditors identified three former employees that still had access to district systems more than a month after leaving employment. Auditors also recommended a number of enhanced security measures, including strengthening passwords and establishing a point-person to serve as a security administrator for the district. The complete audit report is available online at auditor.mo.gov.

Park Hill officials released a statement emphasizing positive work under way.

“We are pleased that the auditor’s office recognized all the work we have done to secure our sensitive information,”Park Hill superintendent Jeanette Cowherd said. “And we also are appreciative of the recommendations we received to help us with our ongoing improvement efforts.”

The district released its responses to the recommendations, including addressing controls for security and user account access. 

In reaction to one of the audit findings, the district appointed the director of technology, Derrick Unruh, as the official security administrator, in charge of developing and maintaining district security policy and procedures. 

The implementation of existing policies to remove access privileges to accounts upon employee termination will be improved and accounts better monitored. This issue appears to be the root of the problem in the 2014 date breach.

In July 2014, the district announced that just before leaving the district, a former employee downloaded all files from a work computer onto a hard drive without consent. When the hard drive was connected to a home network, all the files became accessible from the internet for a period of time. 

The private information of more than 10,200 district employees and students was affected, including Social Security numbers and personnel and student records. The breach was discovered through a Google search.

While the district learned of the breach in April 2014, information was not released to the public until July while the district conducted an internal investigation. Those affected were then notified by mail. 

The district provided identity monitoring services to those whose information was released, to help protect them from fraud.