DiNapoli: Improper Transfer of $600,000 at Lindenhurst
UFSD is a Lesson For All School Districts
Cyber Security Must Be Improved
Weak controls over electronic banking allowed someone to improperly transfer $600,000 from the Lindenhurst Union Free School District, according to an audit released by State Comptroller Thomas P. DiNapoli at a news conference today. The audit highlights the need for all districts in New York State to be mindful of the importance of cyber security.
The Lindenhurst audit is the last of 733 school and BOCES audits mandated under legislation passed in 2005. DiNapoli completed the audits two months earlier than the statutory deadline.
“Educating our children – and stretching every taxpayer dollar to do it – is the prime objective for our schools,” DiNapoli said. “District officials need to keep a sharp eye on the bottom line. Protecting taxpayer dollars from computer hackers must be a priority. Lindenhurst learned the lesson. Now school officials across the state need to follow Lindenhurst’s lead and focus on cyber security. Criminals are always looking for new ways to break into vulnerable IT systems.”
According to DiNapoli’s report, in July 2007, approximately $600,000 was improperly transferred from a district bank account to non-district accounts. Bank officers acted swiftly to recover the funds, but were only able to recover $496,590. The district recouped the rest through an insurance claim.
Recently it was reported that an upstate school district, Duanesburg, was the victim of a $3 million cyber theft.
DiNapoli’s report contained a number of recommendations for school districts to help protect them from cyber predators. It recommends that district officials have tight controls over electronic money transfers, including requiring that transfers can not occur unless two district employees provide approval to the bank for any such transaction. In addition, districts should:
- Control and monitor remote access to financial computer data;
- Routinely monitor bank transactions in order to identify unauthorized activity;
- Review user access rights to financial systems and modify or deactivate them as employees’ job responsibilities change or employees leave district service;
- Develop a data disaster recovery plan; and
- Periodically review audit logs.
District officials generally agreed with DiNapoli’s findings and indicated they have taken corrective action.
Superintendent Richard Nathan said, “The Lindenhurst Union Free School District would like to thank the Office of the State Comptroller (OSC) for its review of the district’s internal controls. The district has already implemented or is in the process of implementing the recommendations proposed by the OSC to ensure that our business operations reflect best practices, transparency, and accountability to our taxpayers. We are thankful that the district suffered no financial loss and that there are no individuals under suspicion within our district.”
Board of Education President Edward J. Murphy, Jr. said, “The Lindenhurst School District Board of Education is using this incident to strengthen our financial security procedures to ensure situations like this do not happen in the future. Unfortunately, this type of electronic crime has become more prevalent in recent years. It is our duty as the Board of Education to ensure the district puts the appropriate controls in place to prevent future cyber crimes.”
DiNapoli referred the findings of the audit to the Suffolk County District Attorney’s Office, who investigated the matter and found no evidence of criminal activity by district staff.
Click here to view a copy of the audit.
School District Accountability
To improve accountability of the state’s schools, DiNapoli’s office is auditing all of New York’s school districts and Boards of Cooperative Educational Services by 2010. The State Comptroller’s office has completed 733 school audits.