Press "Enter" to skip to content

Parson vows to ‘utilize all legal methods’ after Post-Dispatch employee discovers DESE website vulnerability

  

Gov. Mike Parson vowed to hold “perpetrators” responsible after educators’ personal information on the Department of Elementary and Secondary Education’s (DESE) website was compromised. 

The whole matter — which the governor called a “hack” — could cost the taxpayers up to $50 million, Parson said. 

Parson said an individual obtained personal information, including Social Security numbers, of at least three teachers through a “multistep process” that decoded and converted the data. The Cole County prosecutor has been notified, and the Missouri State Highway Patrol’s Digital Forensic Unit will conduct an investigation “of all of those involved.” 

“This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians. It is unlawful to access encoded data and systems in order to examine other peoples’ personal information,” Parson said during a press conference Thursday morning. “We are coordinating state resources to respond and utilize all legal methods available.” 

In a story Wednesday, the St. Louis Post-Dispatch said one of its employees had “discovered the vulnerability in a web application” and notified DESE. 

The newspaper’s attorney, Joseph Martineau of Lewis Rice, said: 

“The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse. A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent.” 

“For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.” 

The Post-Dispatch said it held off in publishing its story in order to give DESE time to correct the website. 

But Parson said the individual did not have the authorization to decode the personal information gleaned from the website, saying “this was clearly a hack.” 

“This matter is a serious matter. The state is committing to bring to justice anyone who hacked our system and anyone who aided and encouraged them to do so,” Parson said. “This individual is not a victim. They were acting against the state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet.” 

DESE’s website compiles teacher information that can be accessed by local school districts when verifying an educator’s certification. The last four digits of a person’s SSN can be used to identify an educator. 

Upon discovering the vulnerability Tuesday, DESE notified the Office of Administration’s Information Technology Services Division (OA-ITSD) which administers the website the information was housed on, and public access to the system was closed.  

“These records were only accessible on an individual basis, and there was no option to decode SSNs for all educators in the system all at once,” DESE Commissioner Margie Vandeven said in a letter to educators. “The state is unaware of any misuse of individual information or even whether information was accessed inappropriately outside of this isolated incident. The situation is in the early stages of investigation.”

Parson said the state is working to strengthen its security to prevent a similar “incident.” 

“We apologize to the hardworking Missouri teachers who now have to wonder if [their] personal information was compromised for pathetic, political gain by what is supposed to be one of Missouri’s news outlets,” the governor said. 

The tool has been online for a decade and has been reviewed multiple times with no vulnerability found, according to the Office of Administration. 

Missouri Chief Information Officer Jeff Wann said the division quickly responded to the issue and surveyed other sites for similar vulnerabilities. 

“As new threats continually arise, ITSD acts quickly to address those threats,” Wann said. “Upon learning of this vulnerability, ITSD removed public access from the system and updated the code to remediate the vulnerability immediately. All similarly situated public-facing systems were evaluated for this vulnerability and no other instances were found. Modernizing the state’s systems is a high priority to assure ever-changing security threats are addressed.”

Wann and Vandeven encouraged educators to monitor credit reports to ensure their information was not being used. 

A 2015 report from Auditor Nicole Galloway raised concerns over DESE’s Missouri Student Information System, a student information reporting system that also compiles Social Security numbers in some cases. Galloway recommended keeping personal information at a minimum to limit the potential negative effects of a data breach. 

Department of Public Safety Director Sandy Karsten joined Parson at the morning press conference although she did not speak. Vandeven was not in attendance.

Officials did not take questions following Parson’s remarks. 

Cameron Gerber contributed to this report.