More than three years later, the problems identified in the audit have been only partially corrected, the Comptroller’s Office said in a follow-up report released this past week.
That follow-up, however, reached different conclusions than a similar review completed around the same time by the New York State Education Department, which said that Starpoint fulfilled the comptroller’s five recommendations from 2022 and demonstrated strong cybersecurity policies and protocols.
In the comptroller’s update, Starpoint implemented one recommendation, partially implemented three others and did not implement one of the recommendations.
“The District’s network and financial and student information applications continued to have increased opportunities for undetected malicious activities, improper access to students’ private and personal information, and/or modification of accounting records to conceal malicious transactions,” reads the comptroller’s report, written by Robin L. Lois, deputy comptroller to Thomas DiNapoli.
The audit and the follow-up were directed to the Starpoint School Board, district officials, network administrators and a coordinator from Orleans-Niagara BOCES. The follow-up visit in May focused on interviews with staff and examinations of data and documents, according to Lois’ report.
Starpoint Schools Superintendent Sean Croft on Friday emphasized the positive conclusions of the state Education Department’s Data Security Review.
“These results, combined with the multiple clean opinions the district has received from its external and internal auditors, confirm that our internal controls are effective,” the superintendent said. He pointed to a specific line from NYSED’s report.
“We appreciate the district’s proactive stance on cybersecurity and its commitment to protecting student and staff data,” wrote Marlowe Cochran, the Education Department’s chief information security officer.
Cochran applauded the district for its security policies, trainings and access controls. The NYSED official’s only recommendation was to improve the district’s documentation.
Croft said the district added a new position, director of technology, last school year to “support faculty and staff with their technology needs while also overseeing comprehensive data protection operations.”
Given its role as a kindergarten-through-12th-grade school district, Starpoint answers directly to the state Education Department and not to the state comptroller, although it can be subject to review by either party. The Comptroller’s Office does not punish school districts for poor audits but recommends improvements and releases results for public accountability.
”Our auditors performed targeted testing to determine and verify if the recommendations were implemented,” said Mark Johnson, DiNapoli’s press secretary. “We do not know what methodology SED used to make their determinations and therefore cannot speak to the difference.”
The state Education Department and state Comptroller’s Office did not align in their reports regarding Starpoint’s cybersecurity efforts, which aim to protect sensitive student and employee information.
Although the comptroller’s follow-up and the NYSED report did not fully align, they underscored the pressure on local school districts to secure sensitive information at a time when cyber attacks can be well-disguised and may prey on underfunded school systems.
The New York State School Boards Association rounded up data last winter that demonstrated how costly ransomware and other cybersecurity attacks can be for districts. The average ransom demand is $847,000, according to the article. A December security breach to PowerSchool, popular software for student registration and attendance, exposed student information in 38 Western New York school districts. Buffalo Public Schools suffered a ransomware attack in 2021 for which recovery costs were a reported $9.4 million.
From the comptroller’s perspective, a chief criticism of Starpoint is its network administrators did not always remove access for employees who left the district. The 2022 audit showed 44 former employees who still had active accounts, including some who had left 13 years prior. This continued to be a problem three years later.
“The unneeded accounts were not always identified and disabled in a timely manner,” the new report reads. “The identified user accounts were not used to logon to the District’s network for an average of 1.5 years and up to 3.6 years prior to being identified as unneeded.”
In its 2022 report, the comptroller explained appropriate technological access should be “limited to very few individuals who have a valid business need for such access.”
The comptroller’s follow-up also found that users had access to student information and financial applications, too, that exceeded their job responsibilities, an issue that was not remedied after the audit.
“All five user accounts identified with unnecessary permissions during our audit had not had unnecessary permission removed,” the report read. “Rather, two of the five user accounts (40 percent) were granted additional permissions.”
The follow-up visit did not show a sense of urgency to address the issues, the report indicated.
“While District officials stated they intended to perform a review of user permissions in the student information application, this review had not occurred as of May 2025 due to other higher-priority matters,” the report reads. “District officials did not elaborate on what those higher-priority matters were.”
© 2025 The Buffalo News (Buffalo, N.Y.). Distributed by Tribune Content Agency, LLC.
