The New York State Education Department hasn’t incorporated all of the recommendations to protect student data, leaving it vulnerable to attack, the Office of the State Comptroller wrote in a November letter to Education Commissioner MaryEllen Elia.

“The Department has not made significant progress,” the letter from State Comptroller Thomas P. DiNapoli said, according to a report in the Wall Street Journal, which prompted a statement from the education department noting that it has “operational security measures in place,” but admitting that its efforts have been stymied by difficulties in replacing its CISO.

“We have experienced challenges in filling in the CISO position since the incumbent left that position,” the spokesperson said. “We hope to fill that position in the coming weeks and that person will begin to implement the audit’s recommendations.”

The comptroller’s office had made the recommendations following an audit in July 2017.

Schools are a frequent target for hackers.

Recently, a pair of U.S. school districts were hit with two very different, but still damaging, cyberattacks in a week.

A former Chicago Public School employee was arrested for stealing the PII of 80,000 district workers, while Gallow, N.J., the district lost $200,000 due to a wire fraud scam.

In the Windy City incident, Kristi Sims was arrested on four counts of aggravated computer tampering and three counts of identity theft. The content taken included names, employee ID numbers, phone numbers, addresses, dates of birth, criminal arrest histories and DCFS findings. Sims was a contract worker for the district handling administrative tasks for the school’s Office of Safety and Security.

The Galloway Township Public School System was victimized by two fraudulent wire transfers scams of $200,000 each. One was canceled before any money was transferred, but the remaining amount is unrecovered at this times.

And in September, a GandCrab ransomware attack forced Monroe County School District in Florida to shut down its computer systems for at least three days.