data vulnerability – Techdirt (original) (raw)

Stories filed under: "data vulnerability"

Missouri Admits It Fucked Up In Exposing Teacher Data, Offers Apology To Teachers — But Not To Journalists It Falsely Accused Of Hacking

from the be-better-missouri dept

As you’ll recall, last month, journalists for the St. Louis Post-Dispatch revealed that the state’s Department of Elementary and Secondary Education (DESE) website was exposing teacher and administrator social security numbers in the HTML source code. This came years after state auditors had highlighted that DESE was already collecting information it should not have been collecting. Bizarrely, DESE and Missouri governor Mike Parson, rather than thanking these journalists for helping to protect the teachers, accused them of being hackers and promising to prosecute them. After people mocked him, he doubled down on the claim and a PAC closely connected to Parson put out a bizarre add playing up the evil “hacking” by the “fake news” media, along with ridiculous talk about “decoding the HTML source code.”

Except that, now, DESE has (much more quietly, and with much less bombast) apologized for the data breach and offered credit and identity theft monitoring to teachers:

The Department of Elementary and Secondary Education (DESE), in conjunction with Missouri’s Office of Administration Information Technology Services Division (OA-ITSD), will begin to send letters in the coming days to certificated educators across the state whose personally identifiable information (PII) may have been compromised during a recent data vulnerability incident.

Note the changing description here. What they were previously calling a “hack” is now, more accurately, called a “data vulnerability incident.” Though, a more accurate description would be that DESE exposed private data of teachers and administrators. Taking responsibility for that would mean being a bit more upfront about that. DESE messed up. Own it.

The state is unaware of any misuse of individual information or if information was accessed inappropriately outside of an isolated incident. However, out of an abundance of caution and in the unlikely event that this information was inappropriately accessed outside this single incident, the State of Missouri is offering 12 months of credit and identity theft monitoring resources through IDX to the approximately 620,000 past and present certificated educators whose PII was contained in the DESE certification database.

So, what’s notable here is that with all the claims of “hacks” being thrown around, DESE and the Governor kept insisting that just 3 individuals, whose info the reporters checked on, were exposed, and refused to admit that it actually impacted a very large number of teachers and administrators. Now, buried in the middle of this notice, we find out that the records of 620,000 teachers and administrators were exposed, including past employees. Wow.

And, also, there’s at least some kind of apology, even if it’s a bit of a mealy-mouthed one:

?Educators have enough on their plates right now and I want to apologize to them for this incident and the additional inconvenience it may cause them,? said Commissioner of Education Margie Vandeven. ?It is unacceptable. The security of the data we collect is of the utmost importance to our agency. Rest assured that we are working closely with OA-ITSD to resolve this situation.?

Notice, however, that the apology is only to the teachers and administrators and not to the journalists DESE and the Governor falsely accused of hacking. Perhaps that’s because — as the Kansas City Star reports — the journalists are still being investigated for possible prosecution:

That investigation is still ongoing, according to patrol Capt. John Hotz. Those interviewed so far have included Shaji Khan, a University of Missouri – St. Louis cybersecurity expert whom the Post-Dispatch consulted to verify the data flaw. Cole County Prosecutor Locke Thompson will ultimately make a decision on whether to bring charges.

Hell, in the description of what happened, DESE ignores that it previously accused the reporters of hacking, refuses to even call them reporters (refering to them as “an individual”) and then still plays up that the data needed to be “decoded.”

As previously announced by OA, on October 12, 2021, DESE was made aware that the PII of at least three Missouri educators was potentially compromised. The information was located within the educator certification data available on DESE?s website. An individual told DESE that they, through a multi-step process, accessed the certification records of at least three educators, took the encoded source data from that webpage, decoded that data, and then viewed the social security number (SSN) of those specific educators. Educators? PII was only accessible on an individual basis within this search tool, and there was no option to decode SSNs for all educators in the system all at once.

Again, if you click on the “previously announced” link, it takes you right to the announcement that calls the reporter “a hacker” and accuses them of “taking records.”

Notably, Governor Mike Parson, who was so eager to call the journalists hackers and call for their prosecution has not (as of me writing this) said anything directly on Twitter about all this — other than a bizarre tweet this morning about how “great teachers are crucial to our workforce development goals.” Of course, one way to get great teachers is not to expose their data, and then try to cover it up or to blame the responsible and ethical disclosure practices of journalists who actually helped to protect those teachers.

Filed Under: credit monitoring, data breach, data vulnerability, dese, hacking, journalism, mike parson, missouri, st. louis, teachers