JEFFERSON CITY — State education officials on Tuesday downplayed their role in the investigation of the after the newspaper identified an online security flaw that put the Social Security numbers of 100,000 educators across Missouri at risk of exposure.
Last week, Gov. Mike Parson accused the newspaper of hacking the Department of Elementary and Secondary Education’s website in a “crime against Missouri teachers” and called for an investigation by the Cole County prosecutor and the Missouri Highway Patrol.
Parson’s declaration was met with derision from cybersecurity experts and earned national media attention.
The Post-Dispatch discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials.
People are also reading…
The newspaper delayed publishing its report until the Department of Elementary and Secondary Education had removed the affected pages from its website and the state had time to examine other agencies’ web applications for similar vulnerabilities.
House Minority Leader , D-Springfield, urged education department officials to “denounce the attacks on a news organization whose only ‘offense’ was to engage in solid public service journalism,” in a letter sent Monday to Education Commissioner Margie Vandeven and the eight-member education board.
When asked Tuesday about the investigation before a Missouri school board meeting, President Charlie Shields said, “obviously that’s — that’s the governor’s decision; that’s not a position that the board or myself are going to take a position on. You know, he’s closer to the issue than I am.”
The significant security flaw on DESE’s website included Social Security numbers in the HTML source code of a web application that allows the public to look up teachers’ certification status. The information was not encrypted and did not require authentication by website users.
After the newspaper reported the flaw to DESE last week, Vandeven sent a letter to school district leaders alerting them to a security “threat” by “an individual” who “took the records of at least three educators, unencrypted the source code from the webpage and viewed the social security number (SSN) of those specific educators.” Vandeven included a link to a press release from the state Office of Administration describing a Post-Dispatch journalist as a “hacker.”
Asked on Tuesday why DESE blamed a reporter for the security issue, Vandeven said, “I would ask you to do your research on — on where and who is responsible for those data security issues before you make that accusation.”
In response to a question about the description of “hacking,” DESE spokeswoman Mallory McGowin said, “those are phrases and words that are included in an Office of Administration press release.”
During the state board meeting, Vandeven gave a short statement, saying “I cannot stress enough that our agency is taking this issue very seriously and that the security of our data is of the utmost importance to us … as we are under an investigation, we are limited in the types of information we can provide.”
Board President Shields said many organizations “have experienced challenges” with data security, including Truman Medical Centers where he is president and CEO.
“We will continue to have to devote more and more resources to build that firewall against the challenges that are coming from the outside,” he said.
$50 million
Also Tuesday, House Democrats said a $50 million price tag that Parson put on the incident last week is for credit monitoring services and for a call center, not for an investigation into the journalist who broke the story.
“This incident alone may cost Missouri taxpayers as much as $50 million and divert workers and resources from other state agencies,” Parson said last week.
Reps. and , both Democrats, said in a news release they had inquired of Parson’s administration regarding the figure. Merideth said it was still unclear whether the credit monitoring services would cost $50 million or if Parson made up the amount.
“Democratic caucus members on the budget committee will be watching like hawks to ensure that — if the $50 million cost is real — the money goes to the teachers affected by this gaping hole in our security system and not to the many consultant friends the governor always seems so eager to hire,” Merideth said.