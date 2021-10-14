JEFFERSON CITY — Gov. Mike Parson said the state plans to prosecute a St. Louis Post-Dispatch reporter for bringing to light flaws in the Department of Elementary and Secondary Education website.
According to a news release from DESE, Social Security numbers of school faculty and staff were vulnerable through a web application.
The St. Louis Post-Dispatch reported more than 100,000 Social Security numbers were vulnerable and visible in the HTML source code of certain pages.
Parson said during a news conference Thursday, that an individual hacker had "unlawfully decoded the records of at least three educators." Parson said his administration has notified the Cole County prosecutor and the Highway Patrol's Digital Forensic Unit of the matter.
"They were acting against the state agency to compromise teachers' personal information in an attempt to embarrass the state and sell headlines for their news outlet," he said.
The governor also said it could cost Missouri taxpayers "as much as $50 million."
Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.We notified the Cole County prosecutor and the Highway Patrol's Digital Forensic Unit will investigate.
St. Louis Post-Dispatch Attorney Joe Martineau stated the outlet's reporting was not by malicious or criminal intent.
"The reporter did the responsible thing by reporting his findings to the Department of Elementary and Secondary Education (DESE) so that the state could act to prevent disclosure and misuse," Martineau said in a statement.
DESE was made aware Tuesday of the vulnerable data and said it has since fixed the issue by removing public access to the system and updating coding.
According to a 2015 state audit of the agency's website, DESE was unnecessarily storing students' social security numbers without a business purpose to include the information.
"Maintaining personally identifiable information that is not necessary for business functions places students at risk should a data breach occur," the audit stated. "By limiting this information to the least amount necessary, DESE may limit potential negative consequences in the event of a data breach."
Matt Michelson, director of education policy for the Missouri State Teacher's Association (MSTA), said the state should work to communicate clearly to protect teachers.
"I think clear communication to education professionals and to members of the state to know exactly what happened, when it happened and how those teachers and educators are going to be affected or have been affected," he said.
Michelson said as of Thursday, no teachers have come forward to MSTA regarding any breach of personal information.
MSTA statement on the DESE website vulnerabilities:
According to the Social Security Administration, if someone obtains your Social Security number, they can use it to apply for credit and intentionally damage your credit score.
If you suspect someone has stolen your social security number, you can call the Federal Trade Commission's identity theft hotline at 1-877-IDTHEFT or visit the website.