The audit discovered there were more than 1,000 user accounts accessing the district network that belonged to former students or staff, including one who retired more than 20 years ago.
While the audit warned that there was a significant risk that the district's network resources, financial data and student information could intentionally or unintentionally be changed or used inappropriately, it did not say there was any evidence of hacking.
In the district's response to the audit, Superintendent Anthony J. Panella said Amherst Central put corrective actions in place during the course of the audit, which covered July 1, 2020 to July 7, 2022.
"The district is committed to putting corrective actions into place for any findings listed in the final report," Panella said in his response.
The audit said as many as 1,570 accounts were unneeded, but had not been disabled.
Auditors looked at 5,078 network user accounts and found that 2,902 were assigned to current enrolled students, while 1,402 were assigned to students that were not currently enrolled. Others were assigned to non-students or shared user accounts.
There were 90 network accounts still active for people who had left the district, auditors said, writing that "former employee network accounts should be disabled on the day the employee leaves district employment."
"Because the district's network had unnecessary enabled network user accounts, it had a greater risk that these accounts could have been used as entry points for attackers to compromise IT resources," the audit said.
District officials told auditors that the accounts went unnoticed because the district did not have written policies and procedures to disable network accounts.
"Cybersecurity is an area our district continuously works to strengthen and we welcomed the in-depth look from the comptroller's office," the superintendent wrote in his response letter to the audit.
©2023 The Buffalo News (Buffalo, N.Y.). Distributed by Tribune Content Agency, LLC.
