Comptroller Dings Levittown Schools In Audit Report

LEVITTOWN, NY — Levittown Public Schools spent almost two years at a heightened risk for computer security breaches, the New York State Comptroller’s office said in a new audit report.

In the report, the office of comptroller Thomas DiNapoli found that Levittown Public Schools, “did not adequately manage nonstudent network accounts and permissions” during a period between July 1, 2023 and March 6, 2025, leaving the district at, “an increased risk of unauthorized access, which could lead to loss of the District's data and network resources.”

Specifically, the comptroller’s office said that the district had failed to disable five user accounts that were no longer needed during that time, out of a total pool of over 2,900 accounts. In the report, the comptroller’s office said district officials hadn’t disabled the accounts because they weren’t aware that the account users had left the district.

Furthermore, the comptroller’s office said the district hadn’t made it policy to use dedicated “administrative” accounts or to update computer software in efforts to keep nonstudent accounts secure.

In a response to the audit, Levittown Superintendent Todd Winch said the district had received the audit and appreciated the work that went into it. As for the failures outlined in the report, Winch said the district was not of the same opinion as state officials.

“While we do feel our network accounts are adequately managed, we welcome the recommendations cited in the report as an opportunity to improve upon our policies and procedures,” Winch wrote. “We are committed to keeping our District cybersecure and reducing risks whenever possible.”

Winch concluded his response by thanking the comptroller’s office for its “knowledge, input and professionalism” during the audit process.

As for those recommendations Winch mentioned, the comptroller’s office said the board of education should “amend the policy for nonstudent network accounts to require the use of dedicated administrative accounts for users who need elevated privileges. The policy should also state that all general computing activities should be performed using lesser-privileged network user accounts.”

Meanwhile, the comptroller’s office said that the IT department in Levittown Public Schools should have a written procedure that requires the district’s HR department to tell the IT department before or on the same day that an employee leaves the district. Also recommended was the use of a written procedure for contractors hired by the district, which would include notifying the IT department of the start and end dates for the contractors’ work with the district, allowing the IT department to create and disable user accounts in a more timely manner.

While the comptroller's office said the district was at an enhanced risk of cybersecurity breaches due to the mismanagement of non-student accounts and the lack of updates on district computers, the report did not mention any breaches occurring during the audit period.

"Network user accounts are potential entry points for attackers because, if compromised, they
could be used to inappropriately access and view personal, private, sensitive information (PPSI) on the
network, make unauthorized changes to official school district records or deny legitimate access to network
resources," the comptroller's office said.