Missouri is offering 12 months of free credit and identity theft monitoring to educators whose personal information could be at risk due to a vulnerability in a state website discovered last month.
At least three teachers’ Social Security numbers became vulnerable last month after data was accessed on the Department of Elementary and Secondary Education (DESE)’s website — which compiles teacher information that can be accessed by local school districts when verifying an educator’s certification. The last four digits of a person’s Social Security number can be used to identify an educator.
No misuse of information nor access to information outside of last month’s incident has been reported, according to DESE, but the option will be extended to approximately 620,000 current and former teachers whose data was included on the department’s website.
The services are expected to cost the state $800,000.
DESE and the Office of Administration Technology Services Division (OA-ITSD) will notify teachers whose information may have been at risk in the coming days.
“Educators have enough on their plates right now, and I want to apologize to them for this incident and the additional inconvenience it may cause them,” DESE Commissioner Margie Vandeven said. “It is unacceptable. The security of the data we collect is of the utmost importance to our agency. Rest assured that we are working closely with OA-ITSD to resolve this situation.”
Gov. Mike Parson said the information was accessed through a “multistep process” that decoded and converted the data. The Cole County prosecutor was notified, and the Missouri State Highway Patrol’s Digital Forensic Unit will conduct an investigation “of all of those involved.”
In a story, the St. Louis Post-Dispatch said one of its employees had “discovered the vulnerability in a web application” and notified DESE.
“The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse. A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent,” the newspaper’s attorney, Joseph Martineau of Lewis Rice, said. “For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”
The Post-Dispatch said it held off in publishing its story to give DESE time to correct the website.
Parson reiterated his intention to pursue the case on “This Week in Missouri Politics” in October, saying all involved in the alleged hack should be prosecuted.
Cameron Gerber studied journalism at Lincoln University. Prior to Lincoln, he earned an associate’s degree from State Fair Community College. Cameron is a native of Eldon, Missouri.
Contact Cameron at firstname.lastname@example.org.