NJ OFAC Completes Investigation Into Unauthorized Release of Assessments in Montclair

BY  |  Friday, Jun 06, 2014 1:00pm  |  COMMENTS (41)

Unauthorized Release of Assessments in MontclairIn a letter sent to Montclair Superintendent of Schools, Dr. Penny MacCormack on Wednesday, June 4, The Office of Fiscal Accountability and Compliance (OFAC) of New Jersey states it has “completed its investigation into a potential data security breach,” and found, among other things that “The initial “release”of the assessments that allowed posting to a site accessible to the general public could only be accomplished by an individual/s possessing a district issued user name and password.”

Other relevant findings deal with computer security issues and operation issues.

OFAC states its review was not structured to identify the individual/s responsible for providing unrestricted access to student assessments, however recommends that, should the parties responsible be identified, that the district consider disciplinary action.

In January, the Board voted to suspend its investigation when the state’s Office of Fiscal Accountability and Compliance (OFAC) began its own investigation. At the June 2 meeting, the Board voted to terminate its investigation.

Here is the OFAC letter in its entirety:

Dear Dr. Maccormack:

SUBJECT: Montclair Public Schools Data Security Breach – OFAC Case #INV-1 06-13

The Office of Fiscal Accountability and Compliance (OFAC) completed an investigation into a potential data security breach. The investigation was prompted by concerns  that  unknown person/s/ accessed a password  protected  teacher portal. The OFAC investigation  was structured to ensure that student records are secured in accordance with the provisions of applicable statute and code.

The OFAC examination was limited i n scope to determine if the confidential student data was maintained in accordance with statutory requirements under N.J.S.A.   l 8A:36- l 9  et  seq.  and N.J.A.C. 6A:32- 7 et seq. The OFAC review was not structured to identify the individual/s/ responsible for providing unrestricted access to student assessments.

The review was conducted on diverse dates from December 19, 2013, through May 30, 2014. The review included an examination of district e-mails, policy and procedure,  comparing  it to applicable state statutes and regulations. Interviews were conducted with district staff responsible for technology infrastructure, operations and security. The OFAC also consulted with staff from the private company engaged by the district to analyze district technology services.

The completed investigation did not identify any material violations of applicable statue and code associated with the proper maintenance and safeguarding of student records. The comprehensive review did identify areas of concern that were previously discussed with you and arc attached to this letter as Exhibit “A.”

Since the district has or is taking appropriate steps to address the concerns and to ensure the overall integrity of district technology infrastructure, the OFAC will terminate the investigation and mark the file closed.

Exhibit “A”

1.  Observation:  The agreement between Montclair Township and the school district is not memorialized in written form.
Recommendation: Both entities should execute an appropriate agreement defining the responsibilities of each party.

2. Observation: The district currently does not maintain a user audit trail to identify individuals’ access activity.
Recommendation: The district should research what options are available for auditing user accounts to determine if increased monitoring is needed.

3. Observation: District computer operations were under the control of a single individual who declined to share access codes or document programs that impacted computer operations.
Recommendation: The district should establish redundancy as per established standards to ensure continued operations in the event the primary individual is incapacitated.

4. Observation: The OFAC was informed that school district and town e-mails are comingled when archived.
Recommendation: The district should require that school district e-mails be segregated to allow for appropriate retrieval as necessary.

5. Observation: Based on the best information made available to the OFAC, the initial “release” of the assessments that allowed posting to a site accessible to the general public could only be accomplished by an individual/s possessing a district issued user name and password.
Recommendation: If the party or parties responsible are identified, the district should consider appropriate disciplinary action.

 

Board President David Deutsch shared OFAC’s finding today with the board along with the following letter:

Dear Members of the Board of Education,

This week, we received the official letter from the Office of Fiscal Accountability and Compliance (“OFAC”) in which it shares its findings regarding last fall’s unauthorized release of certain assessments. Later today, both this letter and the OFAC letter will be posted on the district’s website.

The OFAC letter shares two important conclusions.  First, “…the initial “release” of the assessments that allowed posting to a site accessible to the general public could only be accomplished by an individual/s/ possessing a district issued user name and password.”  Second, OFAC notes several material deficiencies in the district’s legal, operational and personnel-related protocols with respect to its computer infrastructure.

As we have formally ended our own investigation, there is little to say on the first conclusion.  However, regarding the second conclusion, the Board’s investigation uncovered the same weaknesses in its computer systems that OFAC confirmed and I believe the discovery of these weaknesses were the most significant of the many issues brought to light by the release of the assessments.

Accordingly, I am pleased to note that Dr. MacCormack and her staff, based on their own evaluation, have already implemented the bulk of the OFAC recommendations to improve the district’s computer infrastructure.

Sincerely,

David Deutsch

Deustsch told Barista Kids that the findings of the weaknesses in the computer system are perhaps the most significant and he is very pleased at how Dr. MacCormack and her staff have quickly moved to remedy the issues.

41 Comments

  1. POSTED BY Frank Rubacky  |  June 06, 2014 @ 1:22 pm

    POSTED BY fishoutofvodka  |  JUNE 05, 2014 @ 11:56 AM
    “No comment” is an unacceptable answer in terms of explaining how the BOE is (mis)spending our taxpayer’s money. And I sincerely hope this is not an indication of how Mr. Deutsch thinks he can run things.
    As for the $120,000+, the first thing that needs to happen is that Weiner, Lesniak LLP needs to be fired immediately. Every bit of that bill–from the incompetently run investigation, to the idiotically issued subpoenas, to the bill from another law firm defending a board member against an overreaching subpoena–is their fault. And there is not a dime of that bill that actually represents useful work that served the BOE or the taxpayers well.
    But qby33, they DID hold someone responsible–Alan Benezra, the school’s IT guy, got canned for being the one who told the public that the leak was due to incompetence instead of a deliberate hack and probably saved us all from an even larger bill from Weiner, Lesniak, LLP “investigation.” So…yeah….

    Ouch!

  2. POSTED BY walleroo  |  June 06, 2014 @ 2:53 pm

    And thus closes another sad chapter in the life of our very small town.

  3. POSTED BY assessmentgate  |  June 06, 2014 @ 3:10 pm

    Great! So I guess everything’s fine and we can all move on.

    Wait: WHAT JUST HAPPENED???

  4. POSTED BY Right of Center  |  June 06, 2014 @ 3:21 pm

    The State of New Jersey, after an exhaustive investigation, has determined:

    1. In order to download confidential district information from the website, passwords and usernames and stuff like that, were involved.

    2. You all ought to be more careful with your usernames and passwords.

  5. POSTED BY walleroo  |  June 06, 2014 @ 3:28 pm

    To put it even more succinctly, the town is run by the Marx Bros.

  6. POSTED BY Right of Center  |  June 06, 2014 @ 3:29 pm

    “Straight from the Superintendent”

    Dear Parents, Caregivers and Staff:

    Because of the recent Office of Fiscal Accountability and Compliance (“OFAC”) finding regarding last Fall’s unauthorized release of certain assessments. I have implemented the following action plan.

    Moving forward, the default password associated with new accounts on the District’s server will no longer be the last name of the account holder, it will now be “12345″.

    Remember, security is up to everyone!

    Thank you,

    Penny MacCormack, Ed.D.
    Superintendent of Schools Montclair Public Schools

  7. POSTED BY assessmentgate  |  June 06, 2014 @ 3:47 pm

    And $130K+ was spent to find this out? Yikes.

    Keep in mind that the Superintendent, members of the BOE, their supporters, and others all led us to believe that a hacker was responsible for the upload of the assessments. I was suspect #1:

    https://www.aclu-nj.org/files/1413/8618/9802/MBOE-146_Subpoena_upon_Google.pdf

    Could it have been possible that it was well-known what happened, and that the incident was leveraged as a way to silence/intimidate/harass the most vocal critics of Central Office?

    Unfortunately, OFAC didn’t have a mandate to investigate that…

  8. POSTED BY Frank Rubacky  |  June 06, 2014 @ 3:54 pm

    “Wait: WHAT JUST HAPPENED???”

    I’m not sure, but I would like to think it was an olive branch.

    Regardless, I think it is time to retire the assessmentgate screen name.

  9. POSTED BY concernedmontclairparent  |  June 06, 2014 @ 4:10 pm

    “Based on the best information made available to the OFAC”.

    And the information made available to OFAC? (Capitalization added)

    “Interviews were conducted with DISTRICT staff responsible for technology infrastructure, operations and security. The OFAC also consulted with staff from the private company ENGAGED BY THE DISTRICT to analyze district technology services”

    It strikes me that this was not an independent investigation or designed to learn anything other than what the DISTRICT wanted it to learn.

    While it would have been appropriate for the BOE president to have offered an apology to the community, and specifcally Mr. Cummings, for the needless subpeonas, instead he basically dismisses OFAC, essentially saying, “Thanks for nothing OFAC, but we already have this. You didn’t really add anything here.”

    Regarding, “As we have formally ended our own investigation, there is little to say on the first conclusion.”, this is consistent with Mr. Duetsch’s “No Comment” repsonse after Monday’s BOE meeting. I hope he will be more forthcoming about these topics in the future.

  10. POSTED BY assessmentgate  |  June 06, 2014 @ 4:10 pm

    Yes Frank. An olive branch. Which mockingly poked us all in the eye and gleefully swept the entire affair under the rug.

    And of course, by your logic, the entire assessment leak affair was unavoidable, correct?

  11. POSTED BY Frank Rubacky  |  June 06, 2014 @ 7:39 pm

    I can understand why you are not ready to move past this, but you need to move that way.
    Nothing out of this was good. Carping about it will kill off MCAS. Lost the battle, move on.
    If you don’t, you and concernedmontclairparent – and the guy from the Mtc Times – will just be cast as malcontents. It is the way of the world.

  12. POSTED BY State Street Pete  |  June 06, 2014 @ 10:12 pm

    Frank, I must be in an alternative universe from you. Superintendent MacCormack falsely and irresponsibly accused parents and teachers who were opposed to her assessments of intentionally leaking those assessments with no proof whatsoever, then she went after her enemies with illegal subpoenas, dragging innocent people into court, spending insane amounts of money on lawyers, all to uncover the identity of a leaker who didn’t even exist, when all along it was the sorry state of the district’s computer security that was to blame, something for which she is responsible. Superintendent MacCormack needs to resign, period.

  13. POSTED BY qby33  |  June 06, 2014 @ 10:36 pm

    The BOE’s job is to make sure the Superintendent is doing hers, no? They seem to think she has a pretty good handle on this. I guess we should all just trust them with our children’s education and our taxpayer money. They seem to be doing a bang up job so far. Testing is the way to educate and paying legal fees is the way to spend taxpayers $!

  14. POSTED BY Frank Rubacky  |  June 06, 2014 @ 11:00 pm

    SSP,
    Yes, I think you do.

    1) They were our crappy assessments written in-house because of the issues with the magnet system. We had no choice but to first attempt to customize a set to our situation. See what happens when you leave your homework to the last minute. Summer School!

    2) You’re too young to get this, but this is basically a Warren Commission deal and since you have nothing factual, you lose.

    3) OFAC contributed nothing, but they sealed the deal. Quite frankly, anyone who knows an iota about sw/hw knew back in December this was not gobbledegook. But, then again, most people still use Windows XP pr Win7. (I did like the “The Russians Are Coming, the Russians Are Coming” angle….so Mad Men-esque.)

    4) You think getting rid of the Super is going to change things. LOL! The Super’s contract is almost assuredly not going to get renewed. The majority of the BOE will turn over in the next 2 years. (time out while I use my defibrillator….ok, all good…where was I? )

    The point of this is to protect home values and maintain the overall magnet concept to buy some time for some back-of-the-house upgrades. I think the Township Council recognized this and with highly unusual speed, but also their first time lacking unanimity on a township-wide issue, professed a need for “healing” more than an investigation by a body they have absolutely no control over by law. Talk about stepping in it. That was one of this Council’s low points…excluding Mr Jackson & Mr Hurlock who smartly bailed.

    That’s your universe….not mine.
    BTW, If you want to collaborate o a list of people who have falsely accused officials in this township feel free to create a Facebook page for us.

  15. POSTED BY Frank Rubacky  |  June 06, 2014 @ 11:03 pm

    Even the MEA is going to bail on you….essentially because the NJEA is going to tell them that.

  16. POSTED BY Frank Rubacky  |  June 06, 2014 @ 11:03 pm

    PS: of course, that is just my opinion.

  17. POSTED BY lennybrave  |  June 06, 2014 @ 11:09 pm

    I wish I had a dime for every statement Frank Rubacky has made predicting the end of the opposition to these test-crazy, ridiculous reforms.

    I love the name assessmentgate. Every time it appears, I am reminded of how the BOE wasted our time and money; I am reminded of how the they attempted to silence vocal parents with silly “wide-net” subpoenas that turned up nothing; how the BOE went after their own board member because he was critical of their reforms. I am reminded of the incompetence that is at the center of this so-called ‘leak’ – now known as “release.”

    Let’s read that findings one more time:

    The OFAC letter shares two important conclusions. First, “…the initial “release” of the assessments that allowed posting to a site accessible to the general public could only be accomplished by an individual/s/ possessing a district issued user name and password.” Second, OFAC notes several material deficiencies in the DISTRICT’S legal, operational and personnel-related PROTOCOLS with respect to its computer infrastructure.

    A huge battle was lost by the Superintendent and the BOE; they will have to work twice as hard now to establish credibility with what seems to be a growing movement against their brand of reforms.

  18. POSTED BY Frank Rubacky  |  June 07, 2014 @ 9:27 am

    lennybrave,
    I am saying just the opposite. The reforms will be kicked down the road! You will “win”, so to speak.

    It will be MCAS, it’s Facebook pages and Change.org poll (the trappings) and MSW that will go away. And much faster than you will believe. That’s my prediction.

  19. POSTED BY Frank Rubacky  |  June 07, 2014 @ 9:31 am

    PS: lennybrave,
    I intend to take the summer off from bnetkids. So, no more predictions here.

  20. POSTED BY fishoutofvodka  |  June 07, 2014 @ 12:16 pm

    So, anyone want to take bets about whether the BOE is going to pursue the “leaker” with the same rabid enthusiasm now that they know it wasn’t a teacher?

    Or maybe we could just take bets on whether they will issue apologies to the teachers, assessmentgate, David Cummings, and everyone else they accused of being involved.

    Anyone think the board is going to take some time to reflect on their own behavior in this mess? Will they perhaps take a moment to admit that maybe their behavior does not reflect well on them, and that their ill-advised investigation did little but build mistrust in the schools and in the community?

    If the BOE isn’t capable of learning from past mistakes, I’m pretty sure it shouldn’t be in charge of making educational decisions for our town.

  21. POSTED BY walleroo  |  June 08, 2014 @ 7:04 pm

    If the BOE isn’t capable of learning from past mistakes, I’m pretty sure it shouldn’t be in charge of making educational decisions for our town.

    That standard would disqualify quite a few governing bodies.

  22. POSTED BY fishoutofvodka  |  June 08, 2014 @ 10:08 pm

    I’m okay with that.

  23. POSTED BY Gretcheninthekitchen  |  June 09, 2014 @ 2:22 pm

    As noted above, the recommendations shaken out of the investigation are fairly obvious. Taken out of bureaucratic-ese they amount to “Don’t share your passwords.” Sure it’s going to get some jeers, but at least it is straightforward. The air still hasn’t cleared on some other things i.e. who might have a reason to move things in a way that AFT would be in favor of (or against, in the context of Common Core). There have been comments here and on other forums about David Cummings and whether union ties may have played a role in the leaks.

    Those comments have drawn criticism, but this report actually highlights why those rumors exist. It gives the mechanics but doesn’t address anything else. Without the rest of the story, guesses are going to be based on motivations and other ties, like Cummings and AFT.

  24. POSTED BY State Street Pete  |  June 10, 2014 @ 1:00 pm

    So Gretchen, let me see if I understand what you’re saying. Because the report didn’t specifically exclude the possibility, you’re still hanging on to the theory that a district employee, somehow knowing the specific vulnerabilities of the network and computer s/he was using, purposely left the assessments unprotected in hopes that malware/scaper software would come along and infect that very computer and gobble up and post publically the assessments? We’ve talked here before about the leaps of logic it takes to make that argument work, so to still to continue to hold on to that theory makes me wonder if you’ve thought this out, or if you have other reasons to pretend that scenario is still a possibility.

    Further, the rumors about the AFT and Cummings exist, not because the report didn’t refute them, but because you and others continue this whisper campaign and repeat them here and on “other forums”, with no factual basis whatsoever.

  25. POSTED BY education4all  |  June 10, 2014 @ 2:30 pm

    Gretcheninthekitchen, are you trying to create a distraction from the professional failures, questionable character, sneaky behavior, blatant lies, and low ethics of Mccormack, Kulwin, Deutsch, Larson, and Lombard – or do you really believe your nonsense about Cummings/AFT???

  26. POSTED BY martylorne  |  June 10, 2014 @ 6:49 pm

    Pete: I think the point Gretchen is making isn’t about the specific security issues, but what the report doesn’t cover beyond them. Ok, everybody needs to take care with the basics because as obvious as it seems, it’s easy to let the little security stuff (P@$$W0rd is a bad password) slide. Gretchen is saying this report puts in black and white what went wrong and what should be done to avoid problems in the future – and that’s nice to have – but it doesn’t put to rest who let the information out, thus the mention of Cummings and AFT. Someone leaked the tests, and obviously they had their reasons for doing so. The world doesn’t like vacuums so something is going to come in to fill it.

  27. POSTED BY education4all  |  June 10, 2014 @ 9:25 pm

    So Marty, the only thing that possibly could have filled that vacuum was Cummings, who was following the instructions of the AFT?

    You’re kidding, right?

  28. POSTED BY nycmontclair  |  June 10, 2014 @ 9:34 pm

    I wasn’t planning to comment on this thread, but when I see people being defamed, that is when I have to speak up. The report does not say anyone deliberately did anything. And if you want to throw names around as possibles suspects, we could just as easily accuse someone in central office. My point is there is no evidence of intentional wrong doing, so to accuse someone without proof is bordering on libel and frankly, disgusting.

    The assessments were posted without password security, so absolutely could have led to gobookee scraping and very much seems like this was a human error. I can not believe how much this investigation has cost. Montclair tax payers about $120.000 and what about OFAC? I’m guessing closer to $160,000. And for what exactly? This whole thing makes me sick.

    And if people want us. To move forward after this, then I would suggest people stop defaming people. You want to make an accusation, present your evidence. Clearly the Board didn’t have enough to charge anyone. And I do question the motives of posters who suddenly pop up out of nowhere to make these unfounded accusations.

  29. POSTED BY Frank Rubacky  |  June 10, 2014 @ 11:09 pm

    nycmontclair,

    Before I go on my Summer hiatus, I felt compelled to applaud your post. I regretfully did not give you the credit due you for your standards and integrity. I’m not sure education4all will receive your criticism well, but that is his/her problem. I agree with you that defaming people is an ugly business and there is no place for statements like “…the professional failures, questionable character, sneaky behavior, blatant lies, and low ethics of Mccormack, Kulwin, Deutsch, Larson, and Lombard…”

    My appreciation to you for being a voice of reason and equality.

  30. POSTED BY walleroo  |  June 10, 2014 @ 11:34 pm

    Dear Gretchen and Marty, You seem to have good intentions and I kind of like you so I’m going to give you some advice. You are in way over your heads. You may have seen some glimmer of reasonableness in nycmontclair or who knows even fishoutofvodka, stranger things have happened. You’re thinking, maybe if I try to meet them half way, I can persuade them. Forget it. It’s a siren’s call. They will keep at you, day in and day out, until they wear you down, and eventually you will lose your mind. Take it from someone who’s already too far down that path to turn back, and listen up. Put down the mouse, log off, go about enjoying this auspicious start to summer, and don’t come back.

  31. POSTED BY nycmontclair  |  June 11, 2014 @ 8:10 am

    Frank, enjoy the summer. I should probably take it off as well so I can get my blood pressure under control. But I will be spending it figuring out what to do about my son’s education.

  32. POSTED BY Frank Rubacky  |  June 11, 2014 @ 12:03 pm

    Thanks.

  33. POSTED BY cspn55  |  June 11, 2014 @ 12:55 pm

    that’s a great post Frank. Doesn’t everyone realize by now that only someone on YOUR side of an argument can be “defamed” on the Baristanet boards when they are called liars, cheats and accused of wrongdoing? Haven’t we learned that when the the person being called names or accused of bad action is on the OTHER side of the argument it is always valid and not defamation! :)

  34. POSTED BY assessmentgate  |  June 11, 2014 @ 1:59 pm

    Frank, Walleroo, and cspn55: given your disapproval of strongly-worded descriptions of the BOE and Superintendent’s behavior, perhaps you could do a better job.

    Here’s a new blog which lists many of the Board’s and MacCormack’s actions over the past year. How would you categorize, explain, or portray them?

    https://penelopebly.wordpress.com/2014/06/10/an-end-of-year-assessment-for-montclairs-education-reformers/

  35. POSTED BY Frank Rubacky  |  June 11, 2014 @ 6:01 pm

    Water over the damned?

  36. POSTED BY Frank Rubacky  |  June 11, 2014 @ 6:02 pm

    Sorry, damned spellcheck!

  37. POSTED BY State Street Pete  |  June 11, 2014 @ 7:31 pm

    Great title for a horror movie though.

  38. POSTED BY walleroo  |  June 11, 2014 @ 11:48 pm

    Well, assessmentgate, we can probably agree that the BOE and MacCormack and the reformers in general have failed to persuade.

  39. POSTED BY walleroo  |  June 11, 2014 @ 11:49 pm

    River of No Return.

  40. POSTED BY Frank Rubacky  |  June 12, 2014 @ 12:26 am

    With apologies to Deep Purple…

    “Smoke On The Water”

    We all came out to Montclair
    Below the First Mountain ridge line
    To make quarterly assessment on a dime
    We didn’t have much time
    Central services and the teachers
    Were at the best place around
    But some stupid with a password
    Burned the assessments to the ground
    Smoke on the water, fire in the sky

    They burned down the assessments
    They died with the first round
    Funky BOE was running in and out
    Pulling subpoenas out the air
    When it all was over
    Assessmentgate had to find another place
    But billing time was running up
    It seemed that we would lose the race
    Smoke on the water, fire in the sky

    It ended up with the State
    With a report empty cold and bare
    But with the MCAS and MSW online
    Making their music there
    With a few red herring and a few rumors
    They make a place to sweat
    No matter what we get out of this
    I know we’ll never forget
    Smoke on the water, fire in the sky

  41. POSTED BY complainerpuss  |  June 13, 2014 @ 12:59 pm

    If anyone is interested in reading the complete investigation report from the Office of Fiscal Accountability and Compliance (“OFAC”), it is available online at http://www.gobookee.org.

Leave a Reply

Baristanet Comment Policy:

Baristanet has specific guidelines for commenting. To avoid having your comment deleted -- or your commenting privileges revoked -- read this before you comment. Violators will be banned from commenting.

Report a comment that violates the guidelines to comments@baristanet.com. For trouble with registration or commenting, write to comments@baristanet.com.

Commenters on Baristanet.com are responsible for all legal consequences arising from their comments, including libel, infringement of copyright or actions that threaten a third party. By submitting a comment, you agree to indemnify Baristanet LLC, its partners and employees from any legal action arising from your comments.

In order to comment on the new system, you need to register a new Baristanet account. To get your own avatar next to your comments, sign up at Gravatar.com

You must be logged in to post a comment.

Follow, Friend, Subscribe