The confidential records of children and teachers have been left vulnerable to cyber security attacks and data mismanagement due to departmental oversight in the Northern Territory Government, a report from the auditor general's office has revealed.

Key points: A leading cyber-security expert says the auditor general's report raises major concerns, and the data system should be restructured

A leading cyber-security expert says the auditor general's report raises major concerns, and the data system should be restructured SAMS stores personal information about students' enrolment, attendance rates, health and behavioural information

SAMS stores personal information about students' enrolment, attendance rates, health and behavioural information The NT Education Minister says the Education Department has worked to deal with the issues raised

The Student Administration Management System (SAMS) used by the NT Department of Education was shown in an audit to have limited guidelines around user access and a "lack of comprehensive security monitoring" since its roll out in 2017.

SAMS stores personal student information about enrolment, attendance rates, health and behaviour.

It also captures demographic data around students and parents.

Although the system does not have any financial information, it is used to determine funding allocations to NT government schools.

The NT auditor general's report detailed how the centrally hosted database had a lack of user governance processes, a seemingly "excessive" amount of administration accounts, and there were a number of terminated staff members who could have retained access to the system.

The auditor general's report highlighted a number of issues with the Education Department's data management.

Possible investigations could be impaired

It also stated there was no adequate monitoring of user activities, which could "impair incident investigation activities associated with a cyber-security incident".

The report, published this week, said the server had not conducted any security patches since June 2018.

Matt Warren, who is a professor of cyber security with more than 20 years' experience and is the deputy director of the Deakin University Centre for Cyber Security Research and Innovation, said the report raised significant concerns.

He said the NT Government needed to invest in a restructure of the system.

"I think what it highlights is a system that was designed without security in mind," he said.

"The problem that the Northern Territory is facing now is having to retrospectively put in security mechanisms."

Mr Warren said the extensive issues would take a lot of work.

"Because it means reconfiguring the system in terms of control and the fact you need effective account management," he said.

"There were 790 administrators who have powers to do anything within the system — that is an immediate concern.

Cyber-security professor Matt Warren said he had a number of concerns after reading the auditor general's report. ( Supplied )

"The system holds confidential information about students, including health issues and behavioural information — as well as their demographic and whether they've been attending school.

"So immediately you have an issue there of sensitive information potentially being exposed.

"The report highlights that some of the administrators' passwords haven't been changed in a year, which is a major worry.

"The problem you've got is that there isn't a simple solution because there are so many security weaknesses and vulnerabilities in the system.

"It is going to take time, it is going to take resources and, of more importance, it is going to take leadership."

No upcoming investigations into data breaches

The Territory's Education Minister Selena Uibo said the NT Education Department had worked to deal with the issues highlighted.

"In terms of the auditor general's report, my understanding is that the Department of Education has addressed each of those concerns and they have been rectified with the SAMS system," she said.

When asked if the Education Department would investigate any breaches during the two years of highlighted issues in the system's administration, Ms Uibo said she was not aware of any upcoming initiatives.

"I think one of the biggest issues in terms of the data was the concern about the privacy, the levels of privacy with that system and making sure we had security systems in place to protect, particularly, student details but also staff details," she said.

"I'm sure if there were any issues they would be putting in place a review to make sure that the privacy of students and staff was protected and that if there were any breaches that they would be dealt with and there would be consequences."