A compromised email system two years ago and a massive data breach last year has raised questions about the competence of the school district’s 25-person information technology (IT) department.
None of the employees listed any cybersecurity skills in their resumes. Just three employees had computer science degrees, according to district documents released in response to a records request.
Most of the jobs required employees to have a “degree in computer science or equivalent experience.” In most cases, the district opted for “equivalent experience.” Some hires had various certificates, mostly dealing with repairing computer hardware. Others lacked computer skills.
For example, the district hired a help desk coordinator in early 2018. The job description required the employee to have “in-depth knowledge of PC development tools” and “in-depth knowledge of LANS and WANS,” computer networking skills. Her resume listed neither, but stated she was proficient in Microsoft Office. The woman had a nurse’s assistant certificate from Passaic County Community College and studied nursing at Ramapo College.
“Qualification is clearly lacking. It’s not there,” said former school board member Corey Teague speaking of the IT staff.
Paul Brubaker, spokesman for the Paterson Public Schools, did not specifically address a series of questions sent by the Paterson Times last month. He released a statement.
“Under the department’s well-educated and experienced leadership, the district’s IT employees do an excellent job of providing a multitude of services that serve the ever-growing technology demands of the state’s second-largest school district,” said Brubaker last week.
Brubaker said the district is “working closely with a forensic company to investigate” the data breach that claimed thousands of passwords last October.
“The update that was delivered to the board commissioners on July 15 was that the forensic investigation is continuing and, so far, there is there is no evidence of any unauthorized access to, or acquisition of, personally identifiable information maintained by the district,” said Brubaker’s statement.
“I disagree with that,” said school board member Kenneth Simmons, chairman of the technology committee, referring to Brubaker’s statement that there is no evidence of unauthorized access or loss of personally identifiable information.
Superintendent Eileen Shafer has tried to downplay the data breach. At one point two months ago, Brubaker claimed report of the data breach was “unfounded.” The data breach included passwords and account names.
The perpetrator obtained passwords of all district accounts and likely had access to sensitive information stored in school computers.
“There’s always concerns of a breach. I can’t say they have the requisites to mitigate it,” said Simmons when asked if he was concerned about the competence of the district’s IT staff. “I think they can learn.”
Simmons suggested the district consider hosting classes for IT staff on cybersecurity. He said it will be cheaper for the district to train all its IT staff than to send them out and individually pay for their training.
“With IT you’re always learning,” said Simmons. “Companies get breached every day, but how do you minimize it?”
Providing employees with periodic training will help to minimize future data breaches, he said.
Simmons said some school districts did not take technology seriously until the state required them to gear up for the computerized Partnership for Assessment of Readiness for College and Careers (PARCC) exams.
In 2017, the district’s email server was compromised and engaged in “namespace mining behavior.” The email system had been sending large numbers of requests to validate email addresses.
The district was ill-prepared to resolve the problem. Instead of patching its email system, the district switched to a Cloud-based email system creating a new annual expense.
School officials switched to the cloud system for $159,520 last June.
School officials have taken a variety of steps to address last October’s data breach, including changing all passwords and requiring two-factor authentication.