A critical state-run computer system that distributes billions of dollars in funding to public schools is so outdated, it could pose a cybersecurity risk, state Superintendent of Public Instruction Diane Douglas told lawmakers Monday.
Douglas told the Arizona House Committee on Education that the state’s school finance system, known as APOR/CHAR, relies on “Atari and Napster-era technology.” The system runs on Windows 2000 software, which Microsoft stopped providing security updates for in 2010.
The system processes $6.5 billion in state and federal school aid each year, Douglas said. Because school funding is based on student attendance, APOR/CHAR is linked to a new database called AzEDS that contains all student records.
"We have put every possible protection that we are able to put in place to protect student data; however, we can't overlook the inherent risks created by outdated technology," Douglas said. “If we really care about protecting the student data of 1.1 million children, we can't allow this to continue.”
Microsoft ended the life cycle of the software in July 2010, when it offered its final patches for security updates.
But in the seven years since, new vulnerabilities have been uncovered, said Ken Colburn of Data Doctors.
“Lots and lots of things have been discovered about this particular platform that nobody is doing anything about, so it's certainly disconcerting from a technical standpoint,” Colburn said.
Colburn sent Arizona’s Family a long list of known attack points in the Windows 2000 operating system that is published online. He said running unsupported software is “a very dangerous thing to do for any type of business, much less an organization as large as this.”
Douglas told committee members that replacing APOR/CHAR was the Department of Education’s “greatest need.”
If the Windows 2000 technology operating APOR/CHAR were to break down, it would cost the state millions for Microsoft to diagnose the issue, Douglas said.
“If it would take Microsoft $10 million just to look at it, we desperately need to spend the roughly $9 million for a new system to pay schools and protect student data,” she said.
Douglas pointed to an internal analysis by the Arizona Department of Administration’s IT team that ranked the Department of Education among the five state agencies at the greatest cybersecurity risk. She said “90 percent” of the low rating was based on the department running Windows 2000.
“Our situation today, with AzEDS matched to a legacy school finance system, is like having Amazon’s website and warehouse but a delivery system that uses a horse and buggy,” she said.
Copyright 2018 KPHO/KTVK (KPHO Broadcasting Corporation). All rights reserved.