TOWNSON, Md. (AP) — A state audit released this week concluded that the computer network of Baltimore County public schools did not safeguard sensitive personal information and had other serious risks.
The Office of Legislative Audits released the report of the assessment Tuesday, the day before the school district’s network was shut down by a ransomware attack, the Baltimore Sun reported. The audit states that 26 publicly accessible servers located within the district’s network instead of being isolated in a separate network “could expose the internal network to attack from external sources” if compromised.
“Significant risks existed within BCPS’ computer network,” the auditors wrote based on fieldwork conducted between May 2019 and February. “For example, monitoring of security activities over critical systems was not sufficient and its computer network was not properly secured.”
The ransomware attack has left 115,000 students without classes as the district shifted to remote learning because of the coronavirus pandemic. The school system has not provided a timeline for when classes will restart.
The district’s chief of staff, Mychael Dickerson, did not directly respond Thursday to questions from the newspaper about the report. He said staff have been working on the systems during the Thanksgiving holiday.
The Baltimore County Police Department is investigating the cyber attack. Dickerson said investigators have not determined its cause. It’s unclear whether student or personnel data has been accessed by the perpetrators of the attack.
District officials responded to the audit in a letter dated Nov. 18. They wrote that they are looking into ways to better protect personal data and were relocating the publicly accessible servers.