Missouri Governor’s Office Responsible for Teacher Data Leak – Krebs on Security
Missouri Governor Mike Parson made headlines last year when it pledged to criminally prosecute a journalist for reporting a security breach at a state website that exposed the personal information of more than 100,000 teachers. But Missouri prosecutors now say they won’t pursue charges following revelations that the data had been exposed since 2011 – two years after responsibility for securing the state’s computer systems was centralized within the Parson’s own administration office.
As of October 2021, St. Louis Post-Dispatch reporter Josh Renaud alerted Missouri Department of Education officials that their website exposed the Social Security numbers of more than 100,000 elementary and middle school teachers in the state. Renaud discovered that teacher SSNs were accessible in the HTML source code of some Missouri Department of Education web pages.
After confirming that state IT officials secured exposed teacher data, the Post-Dispatch published a story about their findings. Governor Parson responded by holding a press conference at which he vowed his administration would seek to prosecute and investigate “hackers” and anyone who aided the publication in its “attempt to embarrass the State and sell titles for their media”.
“The state is committed to bringing to justice anyone who hacked into our systems or helped them do so,” Parson said in October. “A hacker is someone who gains unauthorized access to information or content. This person did not have permission to do what she did. They had no permission to convert or decode, so it was clearly a hack.
Parson commissioned the Missouri Highway Patrol to produce a report on their investigation of “the hijackers”. On Monday, February 21, The Post-Dispatch published the 158-page report (PDF), which concluded after 175 hours of investigation that Renaud did nothing wrong and only accessed publicly available information.
Emails later obtained by the Post-Dispatch showed that the FBI had told state cybersecurity officials that there was “no actual network intrusion” and that the base of state data was “misconfigured”. The emails also revealed the proposed message when Education Department officials initially prepared to respond in October:
“We are grateful to the member of the media who brought this to the state’s attention,” was the proposed quote attributed to the state education commissioner before Parson began shooting the messenger.
The Missouri Highway Patrol report includes an interview with Mallory McGowin, the communications director for the state’s Department of Elementary and Secondary Education (DESE). McGowin told police the weakness of the website actually exposed 576,000 teachers’ Social Security numbers, and the data would have been exposed publicly for a decade.
McGowin also said the DESE website was developed and maintained by the Office of Administration Computer Services Division (ITSD) – which the governor’s office directly controls.
“I asked Ms. McGowin if I was correct that the website was for DESE, but was managed by ITSD, and she indicated that was correct,” wrote the Highway Patrol investigator. “I asked her if ITSD was part of the Office of Administration, or if DESE had its IT section, and she said it was in the Office of administration. She said that in 2009 the policy was changed to transfer all information technology services to the Office of Administration.
The report was a vindication for Renaud and for the University of Missouri-St. Louis teacher Chaji Khan, which helped the Post-Dispatch verify that the security flaw existed. Khan was also the target of Parson’s vow to pursue “the pirates”. Khan’s lawyer Elad Gross told the publication that his client was not charged and that “state officials have done all wrongdoing here.”
“They failed to follow basic safety procedures for years, failed to protect teachers’ social security numbers, and failed to take responsibility, choosing instead to open a baseless investigation into two Missourians. who did the right thing and reported the issue,” Gross said. Post-shipment. “We thank the Missouri State Highway Patrol and the Cole County District Attorney’s Office for their diligent work on a case that should never have been sent to them.”