Douglas: AZ school finance system a cybersecurity risk; uses 'Windows 2000'

Posted: Updated:
The school finance system runs on Windows 2000 software, which Microsoft stopped providing security updates for in 2010. (Source: 3TV/CBS 5) The school finance system runs on Windows 2000 software, which Microsoft stopped providing security updates for in 2010. (Source: 3TV/CBS 5)
If the Windows 2000 technology operating APOR/CHAR were to break down, it would cost the state millions for Microsoft to diagnose the issue, Douglas said. (Source: 3TV/CBS 5) If the Windows 2000 technology operating APOR/CHAR were to break down, it would cost the state millions for Microsoft to diagnose the issue, Douglas said. (Source: 3TV/CBS 5)
Douglas said “90 percent” of the low rating was based on the department running Windows 2000. (Source: 3TV/CBS 5) Douglas said “90 percent” of the low rating was based on the department running Windows 2000. (Source: 3TV/CBS 5)
Douglas told committee members that replacing APOR/CHAR was the Department of Education’s “greatest need.” (Source: 3TV/CBS 5) Douglas told committee members that replacing APOR/CHAR was the Department of Education’s “greatest need.” (Source: 3TV/CBS 5)
PHOENIX (3TV/CBS 5) -

A critical state-run computer system that distributes billions of dollars in funding to public schools is so outdated, it could pose a cybersecurity risk, state Superintendent of Public Instruction Diane Douglas told lawmakers Monday.

Douglas told the Arizona House Committee on Education that the state’s school finance system, known as APOR/CHAR, relies on “Atari and Napster-era technology.” The system runs on Windows 2000 software, which Microsoft stopped providing security updates for in 2010.

The system processes $6.5 billion in state and federal school aid each year, Douglas said. Because school funding is based on student attendance, APOR/CHAR is linked to a new database called AzEDS that contains all student records.

"We have put every possible protection that we are able to put in place to protect student data; however, we can't overlook the inherent risks created by outdated technology," Douglas said. “If we really care about protecting the student data of 1.1 million children, we can't allow this to continue.”

[RELATED: Arizona education improving but seriously challenged]

Microsoft ended the life cycle of the software in July 2010, when it offered its final patches for security updates.

But in the seven years since, new vulnerabilities have been uncovered, said Ken Colburn of Data Doctors.

“Lots and lots of things have been discovered about this particular platform that nobody is doing anything about, so it's certainly disconcerting from a technical standpoint,” Colburn said.

Colburn sent Arizona’s Family a long list of known attack points in the Windows 2000 operating system that is published online. He said running unsupported software is “a very dangerous thing to do for any type of business, much less an organization as large as this.”

Douglas told committee members that replacing APOR/CHAR was the Department of Education’s “greatest need.”

If the Windows 2000 technology operating APOR/CHAR were to break down, it would cost the state millions for Microsoft to diagnose the issue, Douglas said.

“If it would take Microsoft $10 million just to look at it, we desperately need to spend the roughly $9 million for a new system to pay schools and protect student data,” she said.

Douglas pointed to an internal analysis by the Arizona Department of Administration’s IT team that ranked the Department of Education among the five state agencies at the greatest cybersecurity risk. She said “90 percent” of the low rating was based on the department running Windows 2000.

“Our situation today, with AzEDS matched to a legacy school finance system, is like having Amazon’s website and warehouse but a delivery system that uses a horse and buggy,” she said.

Click/tap here to download the free azfamily mobile app.

Copyright 2018 KPHO/KTVK (KPHO Broadcasting Corporation). All rights reserved.


Derek StaahlDerek Staahl is an Emmy Award-winning reporter and fill-in anchor who loves covering stories that matter most to Arizona families.

Click to learn more about Derek.

Derek Staahl

This once-uncompromising "California guy" got his first taste of Arizona in 2015 while covering spring training baseball for his former station. The trip spanned just three days, but Derek quickly decided Phoenix should be his next address. He joined CBS 5 and 3TV four months later, in August 2015. Before packing his bags for the Valley of the Sun, Derek spent nearly four years at XETV in San Diego, where he was promoted to Weekend Anchor and Investigative Reporter. Derek chaired the Saturday and Sunday 10 p.m. newscasts, which regularly earned the station's highest ratings for a news program each week. Derek’s investigative reporting efforts into the Mayor Bob Filner scandal in 2013 sparked a "governance crisis" for the city of San Diego and was profiled by the region’s top newspaper. Derek broke into the news business at WKOW-TV in Madison, WI. He wrote, shot, edited, and presented stories during the week, and produced newscasts on the weekends. By the end of his stint, he was promoted to part-time anchor on WKOW’s sister station, WMSN. Derek was born in Los Angeles and was named the “Undergraduate Broadcast Journalism Student of the Year” in his graduating class at USC. He also played quads in the school’s famous drumline. When not reporting the news, Derek enjoys playing drumset, sand volleyball, and baseball.

Hide bio