JEFFERSON CITY, Mo. — The personal information of teachers across Missouri was stored on the state’s Department of Elementary and Secondary Education (DESE), leaving it vulnerable, according to Governor Mike Parson and reporters at the St. Louis Post-Dispatch who discovered the security flaw.
The vulnerability was first discovered this week by the Post-Dispatch, which then alerted state officials about the issue. Reporters said the flaw was “in a web application that allowed the public to search teacher certifications and credentials.” State officials took down the pages involved Tuesday after it was brought to their attention.
Then, DESE sent out a news release Wednesday that said a hacker got the records of three teachers, getting access to their Social Security numbers.
The Post-Dispatch disputed the state’s characterization of the incident as a hacking in an updated story Wednesday night, defending their actions.
“In reality, the Post-Dispatch discovered the vulnerability and confirmed that the nine-digit numbers were indeed Social Security numbers. The paper then told the department that it had confirmed the vulnerability with three educators and a cybersecurity expert,” the newspaper reported.
"It wasn't a hack. It was complete negligence," cybersecurity expert George Rosenthal with ThrottleNet told 5 On Your Side.
Rosenthal said the state was audited back in 2015 and told to fix exactly this kind of situation. He said it appears the state did take corrective actions though this issue continued in at least one area online.
"This is not something that was done with ill intent. In fact, whoever found this should be rewarded instead of being called a hacker or even threatened with a lawsuit," Rosenthal said.
Governor Mike Parson addressed the security issue in a news conference Thursday morning, saying the personal information wasn’t “clearly visible nor searchable on any of the web pages. The newspaper found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved.”
The Post-Dispatch said it worked to expose the flaw to protect more educators. The governor said the person responsible will be held accountable.
“This individual is not a victim. They were acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet,” Gov. Parson said.
The governor said state officials are working to strengthen their security and fix the flaw discovered by the Post-Dispatch.
“The state is owning its part and we are addressing areas in which we need to do better than we have done before,” he said, adding that the state plans to take legal action against the paper and its company.
5 On Your Side called the Post-Dispatch’s attorney Joseph Martineau, who emailed us the following statement.
"The reporter did the responsible thing by reporting his findings to the Department of Elementary and Secondary Education (DESE) so that the state could act to prevent disclosure and misuse. A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring to this as 'hacking' is unfounded. Thankfully, these failures were discovered."
The state is now directing teachers to free credit monitoring services, like those available at AnnualCreditReport.com.
Rosenthal said people who are worked up about this or any breach can take a number of steps, some as easy as changing your passwords, using a password manager for more complex combinations and updating software on all devices to include the newest security patches.
He says adding two-factor identification to certain websites and apps will provide you with a code upon login, making it that much more secure.
If you are worried about an immediate risk to your credit history, Rosenthal said consumers may consider a credit freeze.