Missouri Admits It Fucked Up In Exposing Teacher Data, Offers Apology To Teachers — But Not To Journalists It Falsely Accused Of Hacking

from the be-better-missouri dept

As you’ll recall, last month, journalists for the St. Louis Post-Dispatch revealed that the state’s Department of Elementary and Secondary Education (DESE) website was exposing teacher and administrator social security numbers in the HTML source code. This came years after state auditors had highlighted that DESE was already collecting information it should not have been collecting. Bizarrely, DESE and Missouri governor Mike Parson, rather than thanking these journalists for helping to protect the teachers, accused them of being hackers and promising to prosecute them. After people mocked him, he doubled down on the claim and a PAC closely connected to Parson put out a bizarre add playing up the evil “hacking” by the “fake news” media, along with ridiculous talk about “decoding the HTML source code.”

Except that, now, DESE has (much more quietly, and with much less bombast) apologized for the data breach and offered credit and identity theft monitoring to teachers:

The Department of Elementary and Secondary Education (DESE), in conjunction with Missouri’s Office of Administration Information Technology Services Division (OA-ITSD), will begin to send letters in the coming days to certificated educators across the state whose personally identifiable information (PII) may have been compromised during a recent data vulnerability incident.

Note the changing description here. What they were previously calling a “hack” is now, more accurately, called a “data vulnerability incident.” Though, a more accurate description would be that DESE exposed private data of teachers and administrators. Taking responsibility for that would mean being a bit more upfront about that. DESE messed up. Own it.

The state is unaware of any misuse of individual information or if information was accessed inappropriately outside of an isolated incident. However, out of an abundance of caution and in the unlikely event that this information was inappropriately accessed outside this single incident, the State of Missouri is offering 12 months of credit and identity theft monitoring resources through IDX to the approximately 620,000 past and present certificated educators whose PII was contained in the DESE certification database.

So, what’s notable here is that with all the claims of “hacks” being thrown around, DESE and the Governor kept insisting that just 3 individuals, whose info the reporters checked on, were exposed, and refused to admit that it actually impacted a very large number of teachers and administrators. Now, buried in the middle of this notice, we find out that the records of 620,000 teachers and administrators were exposed, including past employees. Wow.

And, also, there’s at least some kind of apology, even if it’s a bit of a mealy-mouthed one:

?Educators have enough on their plates right now and I want to apologize to them for this incident and the additional inconvenience it may cause them,? said Commissioner of Education Margie Vandeven. ?It is unacceptable. The security of the data we collect is of the utmost importance to our agency. Rest assured that we are working closely with OA-ITSD to resolve this situation.?

Notice, however, that the apology is only to the teachers and administrators and not to the journalists DESE and the Governor falsely accused of hacking. Perhaps that’s because — as the Kansas City Star reports — the journalists are still being investigated for possible prosecution:

That investigation is still ongoing, according to patrol Capt. John Hotz. Those interviewed so far have included Shaji Khan, a University of Missouri – St. Louis cybersecurity expert whom the Post-Dispatch consulted to verify the data flaw. Cole County Prosecutor Locke Thompson will ultimately make a decision on whether to bring charges.

Hell, in the description of what happened, DESE ignores that it previously accused the reporters of hacking, refuses to even call them reporters (refering to them as “an individual”) and then still plays up that the data needed to be “decoded.”

As previously announced by OA, on October 12, 2021, DESE was made aware that the PII of at least three Missouri educators was potentially compromised. The information was located within the educator certification data available on DESE?s website. An individual told DESE that they, through a multi-step process, accessed the certification records of at least three educators, took the encoded source data from that webpage, decoded that data, and then viewed the social security number (SSN) of those specific educators. Educators? PII was only accessible on an individual basis within this search tool, and there was no option to decode SSNs for all educators in the system all at once.

Again, if you click on the “previously announced” link, it takes you right to the announcement that calls the reporter “a hacker” and accuses them of “taking records.”

Notably, Governor Mike Parson, who was so eager to call the journalists hackers and call for their prosecution has not (as of me writing this) said anything directly on Twitter about all this — other than a bizarre tweet this morning about how “great teachers are crucial to our workforce development goals.” Of course, one way to get great teachers is not to expose their data, and then try to cover it up or to blame the responsible and ethical disclosure practices of journalists who actually helped to protect those teachers.

Filed Under: , , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Missouri Admits It Fucked Up In Exposing Teacher Data, Offers Apology To Teachers — But Not To Journalists It Falsely Accused Of Hacking”

Subscribe: RSS Leave a comment
26 Comments
This comment has been deemed insightful by the community.
katsai (profile) says:

It’s funny how many companies and government organizations trot out the "the security of the data we collect is of the utmost importance" line AFTER an easily preventable breach or (as in the case here) blatant information security malpractice. If the security of users were truly important to them, it wouldn’t be an afterthought, and they wouldn’t be attacking the white hats who properly disclose vulnerabilities in a responsible manner.

Scary Devil Monastery (profile) says:

Re: Re:

"It’s funny how many companies and government organizations trot out the "the security of the data we collect is of the utmost importance" line AFTER an easily preventable breach…"

Given that the WCry trojan was designed by a leaked NSA spy kit we know already that not even the most competent and best funded intel organizations can keep their data secured. What hope does a rural backwards state with half a leg still in the 18th century have?

You sort of have to admire the sheer unadulterated Chutzpah of these fuckwit grifters when they keep standing in front of the yawning door of the empty barn claiming that keeping the horses secured is the highest priority.

This comment has been deemed insightful by the community.
That One Guy (profile) says:

'Here's an ounce, now we're off to demand a pound...'

If anything offering credit and identity monitoring for a year to the teachers affected while still going after the reporters who exposed the problem is more an insult than an apology to them because the state is still sticking with a strategy that all but ensures that the next time the state screws up those with good intentions will look the other way lest they be targeted for harassment while those will ill intentions dive right in to exploit the vulnerability.

It’s like slapping a bandaid on a stab wound and pretending that that’s all that’s needed except worse as continuing to run with that idea the bandaid in question is designed to make the person more likely to be stabbed again in the future.

This comment has been deemed funny by the community.
Rico R. (profile) says:

BREAKING NEWS: Schools Install Hacking Software

Big Tech company Google was caught red-handed offering a hacking tool to schools and even the general public. The tool in question, Google Chrome, is known to decode HTML code and even display the source code of the content it displays with a simple right-click function. There are even reports that people can use an inspect tool to temporarily change what a webpage says without the authorization of the website owner. Google laughed off requests for comment, but Missouri’s governor is insistent that it will hold all who downloaded and used the tool accountable as well as investigate schools that use the software in question.

This comment has been deemed funny by the community.
Bobvious says:

Re: BREAKING NEWS: Schools Install Hacking Software

In other NEWS!!!

Missouri’s governor is suing the descendants of Leonardo Da Vinci because he wrote the Da Vinci Code, which is the precursor of all modern computing code, including encryption and decryption, and thus is principally responsible for this egregious data hack and the enablement of Big Tech. The governor further moved to arrest and jail all perpe"traitors" of ROT26, "whatever that heinous hell-code is".

"These hackers are using specific decoders to intercept our information. From here on we’ll be defeating them by the use of ‘plain-text encoding’", the governor was alleged to have said.

This comment has been deemed insightful by the community.
Scary Devil Monastery (profile) says:

Re: Shocked!

Shocking, innit?

At the end of the day we have Goldwater and Nixon’s "Southern Strategy" to thank for the GOP going from being the party of intellectual liberalism and hard science sceptical of religion to being the party of hysterical fearmongering morons competing in grifting.

I keep wanting to ask wtf happened but, alas, I’m fairly well read both on German tween-wars history as well as the US 60’s and 70’s. I know damn well what happened and how.

This comment has been deemed insightful by the community.
That Anonymous Coward (profile) says:

I know it can’t/won’t/shouldn’t happen but I’d love to see the Gov sued for this fiasco.

They should have known better than to put SS numbers on anything publicly accessible.

They should have had audits, this shits been going on for years.
They had no idea what the journalists had accessed, which means they have no idea what some curious "hacker" managed to find in the years they thought SS "hiden" in the html was a great idea.

He lied about this being a hack & tried to blame the reporters who did everything in a responsible way. The fact the case is still open raises questions about the mental competency of those investigating and pondering if to charge or not.

"we find out that the records of 620,000 teachers and administrators were exposed, including past employees."
620,000 people got screwed by these assholes & will end up having to deal with any fallout of the complete failure of the state to do even the most basic security things.

On a side thought, how many more millions of SS numbers getting leaked will finally force the government to block using SS numbers for getting credit? (Remembers that this is the same government who made medicare id’s peoples SS numbers despite there being widespread fraud that they expected people in their 80s to discover & report to them).

Imagine if the law held the victims of id theft as actual victims & put the cleanup of the wreckage on the lender & the credit agency. I imagine that securing their networks might take priority after the first couple million they end up on the hook for. Citizens can do everything right, but are always left to clean up the mess made by others who thought rot13 was uncrackable.

This comment has been deemed insightful by the community.
PaulT (profile) says:

"An individual told DESE that they, through a multi-step process, accessed the certification records of at least three educators, took the encoded source data from that webpage, decoded that data, and then viewed the social security number (SSN) of those specific educators"

A reminder before the usual technology clueless suspects turn up that encoding and encryption are not the same thing. Whether the information was encoded in base64 or in Finnish, translating the plain text into readable English is not the same as bypassing encryption. If decoding the text was illegal, you would still be seeing the HTML tags on the displayed page.

Also a reminder that trying to prosecute journalists for telling you about a laughably basic security flaw is always something that will backfire on you, from having the globe laughing at you with these articles, to people just letting the actual black hats steal your data next time. If you made such a basic screw up here, it’s likely you have others, and nobody’s going to tell you about those ones now.

"Educators’ PII was only accessible on an individual basis within this search tool, and there was no option to decode SSNs for all educators in the system all at once."

Oh, cool, so if you’re only letting one user at a time get doxxed instead of your entire staff at once, that’s acceptable?

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...