Press "Enter" to skip to content

Prosecutor resolves Post-Dispatch, DESE data breach incident ‘through non-legal means’

EXCLUSIVE — A Cole County prosecutor declined to charge a St. Louis Post-Dispatch employee for the Department of Elementary and Secondary Education (DESE) “data breach,” saying a resolution through “non-legal means” had been reached. 

Cole County prosecutor Locke Thompson said any potential data breach should be fully investigated, and he thanked the Missouri State Highway Patrol for doing so. 

“There is an argument to be made that there was a violation of law. However, upon review of the case file, the issues at the heart of the investigation have been resolved through non-legal means,” Thompson said. “As such, it is not in the best interest of Cole County citizens to utilize the significant resources and taxpayer dollars that would be necessary to pursue misdemeanor criminal charges in this case.” 

“Protecting the personal information of Missouri’s state employees, many of whom are my constituents, is a top priority for both myself and the governor, and I want to thank him for forwarding the concerns of a data breach of the DESE website on to the Missouri State Highway Patrol for review,” Thompson added.

In October, Gov. Mike Parson said an individual obtained personal information, including Social Security numbers, of at least three teachers through a “multistep process” that decoded and converted the data. 

“This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians. It is unlawful to access encoded data and systems in order to examine other peoples’ personal information,” Parson said then. “We are coordinating state resources to respond and utilize all legal methods available.” 

The St. Louis Post-Dispatch said one of its employees had “discovered the vulnerability in a web application” and notified DESE. 

The newspaper’s attorney, Joseph Martineau of Lewis Rice, said: 

“The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse. A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent.” 

“For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.” 

The Post-Dispatch said it held off in publishing its story in order to give DESE time to correct the website. 

But Parson said the individual did not have the authorization to decode the personal information gleaned from the website, saying “this was clearly a hack.” 

“This matter is a serious matter. The state is committing to bring to justice anyone who hacked our system and anyone who aided and encouraged them to do so,” Parson said. “This individual is not a victim. They were acting against the state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet.” 

DESE’s website compiles teacher information that can be accessed by local school districts when verifying an educator’s certification. The last four digits of a person’s SSN can be used to identify an educator. 

Upon discovering the vulnerability, DESE notified the Office of Administration’s Information Technology Services Division (OA-ITSD) which administers the website the information was housed on, and public access to the system was closed.  

“These records were only accessible on an individual basis, and there was no option to decode SSNs for all educators in the system all at once,” DESE Commissioner Margie Vandeven said in a letter to educators. “The state is unaware of any misuse of individual information or even whether information was accessed inappropriately outside of this isolated incident. The situation is in the early stages of investigation.”

“I wish to make clear that this office maintains a zero-tolerance policy for the unauthorized taking and using of the personal information of any person, and violators will be prosecuted to the fullest extent of the law,” Thompson said Friday.