Turns Out It Was Actually The Missouri Governor's Office Who Was Responsible For The Security Vulnerability Exposing Teacher Data

from the will-you-look-at-that dept

The story of Missouri’s Department of Elementary and Secondary Education (DESE) leaking the Social Security Numbers of hundreds of thousands of current and former teachers and administrators could have been a relatively small story of yet another botched government technology implementation — there are plenty of those every year. But then Missouri Governor Mike Parson insisted that the reporter who reported on the flaw was a hacker and demanded he be prosecuted. After a months’ long investigation, prosecutors declined to press charges, but Parson doubled down and insisted that he would “protect state data and prevent unauthorized hacks.”

You had to figure another shoe was going to drop and here it is. As Brian Krebs notes, it has now come out that it was actually the Governor’s own IT team that was in charge of the website that leaked the data. That is, even though it was the DESE website, that was controlled by the Governor’s own IT team. This is from the now released Missouri Highway Patrol investigation document. As Krebs summarizes:

The Missouri Highway Patrol report includes an interview with Mallory McGowin, the chief communications officer for the state?s Department of Elementary and Secondary Education (DESE). McGowin told police the website weakness actually exposed 576,000 teacher Social Security numbers, and the data would have been publicly exposed for a decade.

McGowin also said the DESE?s website was developed and maintained by the Office of Administration?s Information Technology Services Division (ITSD) ? which the governor?s office controls directly.

?I asked Mrs. McGowin if I was correct in saying the website was for DESE but it was maintained by ITSD, and she indicated that was correct,? the Highway Patrol investigator wrote. ?I asked her if the ITSD was within the Office of Administration, or if DESE had their on-information technology section, and she indicated it was within the Office of Administration. She stated in 2009, policy was changed to move all information technology services to the Office of Administration.?

Now, it’s important to note that the massive, mind-bogglingly bad, security flaw that exposed all those SSNs in the source code of publicly available websites was coded long before Parson was the governor, but it’s still his IT team that was who was on the hook here. And perhaps that explains his nonsensical reaction to all of this?

For what it’s worth, the report also goes into greater detail about just how dumb this vulnerability was:

Ms. Keep and Mr. Durnow told me once on the screen with this specific data about any teacher listed in the DESE system, if a user of the webpage selected to view the Hyper Text Markup Language (HTML) source code, they were allowed to see additional data available to the webpage, but not necessarily displayed to the typical end-user. This HTML source code included data about the selected teacher which was Base64 encoded. There was information about other teachers, who were within the same district as the selected teacher, on this same page; however, the data about these other teachers was encrypted.

Ms. Keep said the data which was encoded should have been encrypted. Ms. Keep told me Mr. Durnow was reworking the web application to encrypt the data prior to putting the web application back online for the public. Ms. Keep told me the DESE application was about 10 years old, and the fact the data was only encoded and not encrypted had never been noticed before.

This explains why Parson kept insisting that it wasn’t simply “view source” that was the issue here, and that it was hacking because it was “decoded.” But Base64 decoding isn’t hacking. If it was, anyone figuring out what this says would be a “hacker.”


That’s not hacking. That’s just looking at what’s there and knowing how to read it. Not understanding the difference between encoding and encrypting is the kind of thing that is maybe forgivable for a non-techie in a confused moment, but Parson has people around him who could surely explain it — the same people who clearly explained it to the Highway Patrol investigating. But instead, he still insists it was hacking and is still making journalist Jon Renaud’s life a living hell from all this nonsense.

The investigation also confirms exactly as we had been saying all along that Renaud and the St. Louis Post-Dispatch did everything in the most ethical way possible. It found the vulnerability, checked to make sure it was real, confirmed it with an expert, then notified DESE about it, including the details of the vulnerability, and while Renaud noted that the newspaper was going to run a story about it, made it clear that it wanted to make sure the vulnerability was locked down before the story would run.

So, once again, Mike Parson looks incredibly ignorant, and completely unwilling to take responsibility. And the more he does so, the more this story continues to receive attention.

Filed Under: , , , , ,
Companies: st. louis post dispatch

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Turns Out It Was Actually The Missouri Governor's Office Who Was Responsible For The Security Vulnerability Exposing Teacher Data”

Subscribe: RSS Leave a comment
This comment has been deemed insightful by the community.
Mononymous Tim (profile) says:

I'm a hacker!

Mike Parson is a very bad governor who beieves [sic] that his own IT team’s very bad coding practices should not be blamed, and instead that he can attack journalists who ethically disclosed the vulnerability as "hackers" rather than take even the slightest bit of responsibility.

This comment has been deemed insightful by the community.
Anonymous Coward says:

Re: Re:

Even if it was encrypted, still doesn’t explain why data on other teachers was being sent.

If it is being sent to the client (browser), it’s going to get decrypted at some point. And if the web page itself is decrypting it on the client side, they’ve also (at some point) sent the key. Having sent the client both the encrypted data, and the key to everything, you expect the encryption to be worth anything at all?

They say it was "10 years old", so perhaps the site wasn’t using HTTPS … which is another strike against it. (The HTTPS-Everywhere extension was created in 2014, only a couple years after the "10 years", and HTTPS itself dates back to 1994…

nasch (profile) says:

Re: Re:

Exactly this, it does not matter if it was encrypted, encoded, clear text, or in any other form, if it’s data you don’t want public you should not have let it outside your security boundary.

That’s what encryption in transit is for: data you don’t want public that you need to send somewhere else. With your rule, nobody could send or receive any sensitive data.

Anonymous Coward says:

So here goes…

✅ ~ % echo TWlrZSBQYXJzb24gaXMgYSB2ZXJ5IGJhZCBnb3Zlcm5vciB3aG8gYmVpZXZlcyB0aGF0IGhpcyBvd24gSVQgdGVhbSdzIHZlcnkgYmFkIGNvZGluZyBwcmFjdGljZXMgc2hvdWxkIG5vdCBiZSBibGFtZWQsIGFuZCBpbnN0ZWFkIHRoYXQgaGUgY2FuIGF0dGFjayBqb3VybmFsaXN0cyB3aG8gZXRoaWNhbGx5IGRpc2Nsb3NlZCB0aGUgdnVsbmVyYWJpbGl0eSBhcyAiaGFja2VycyIgcmF0aGVyIHRoYW4gdGFrZSBldmVuIHRoZSBzbGlnaHRlc3QgYml0IG9mIHJlc3BvbnNpYmlsaXR5Lg== | base64 -d

Mike Parson is a very bad governor who beieves that his own IT team's very bad coding practices should not be blamed, and instead that he can attack journalists who ethically disclosed the vulnerability as "hackers" rather than take even the slightest bit of responsibility.

✅ ~ % whereis base64

✅ ~ % uname -a
Darwin macMini.flat 19.6.0 Darwin Kernel Version 19.6.0: Thu Jan 13 01:26:33 PST 2022; root:xnu-6153.141.51~3/RELEASE_X86_64 x86_64

So it appears that macOS has hacker tools built into it’s OS. Good to know that macOS is now illegal in Parson’s view.

(Also, can somebody explain how to create a proper MD code block on this site? It appears that 3 backticks nor 4 spaces seem to properly work. Inline code block works with a single backtick)

This comment has been deemed insightful by the community.
Anonymous Coward says:

Email attachments are illegal now too!!

I would also like to point out that the most common means of encoding binary data for sending files as an email attachment is base64.

Base64 is also widely used for sending e-mail attachments. This is required because SMTP—in its original form—was designed to transport 7-bit ASCII characters only. This encoding causes an overhead of 33–36% (33% by the encoding itself; up to 3% more by the inserted line breaks).

Source: https://en.wikipedia.org/wiki/Base64

That One Guy (profile) says:

Imagine that...

Looks like the highway patrol investigation found the guilty party after all, bet he’s rather regretting setting them on the trail only to have it point right back to his office.

Still, this does nicely explain why he was so dedicated in blaming the reporters, with the blame right on his own IT team he must have figured that even the slightest amount of digging would lay the blame at his feet and so he tried to pre-emtpively shift it to someone else.

ECA (profile) says:


If’ it werent for FB, YT, and many other sites and the idiots posting on them, I would Never laugh again.

Anyone remember when the Crooks were posting and showing off all their gains on FB, and finding out that Cops could ID and track them? Knock on the door and arrest them?
Anyone watch the Sparkle bombs set out for people to steal Amazon packages?
How about tracking Scammers that have people send them money with UPS?
HOW about Hackers hacking the OTHER hackers. remote view from their OWN SERVERS AND COMPUTERS? Then call them up and describe whats going on in the office the other hackers are sitting in, talk to them about the Girl next to them.

This comment has been deemed insightful by the community.
Jim Duchek (profile) says:

Republican loudly blames <insert problem here> on <insert something Republicans hate>. Turns out, problem was <insert Republican person, group, or policy> all along.

Not really news. Just fill out the madlib and you can read it a couple hundred times a year. The louder any right-wing source yells about a problem, you more you can be sure it’s a problem caused by the right.

David says:

You are outvoted.

So, once again, Mike Parson looks incredibly ignorant, and completely unwilling to take responsibility. And the more he does so, the more this story continues to receive attention.

Experts make up a tiny percentage of the populace. The truth is a really hard barrier to success. But it takes experts to verify the intricacies of the truth.

If you want to make it in politics, improving the factual state of things is much harder than making people distrust the experts. And more and more politicians are adopting the latter strategy.

Mike Parson may look incredibly ignorant to you. But you are not part of a nondisposable majority. And in a nation where education boards tell teachers regularly that they have to treat the knowledge about God’s creation in writeups from 3000 years ago as equivalent to knowledge about God’s creation gained since then, mistrusting experts is quite natural.

Ben (profile) says:


Fixed the typo in your comment for you:

TKnarr (profile) says:


A modern webapp might do that, but "10 years ago" pretty much precludes a Javascript-based client-side React-type application. I’m trying to think of any sort of design that’d result in anything other than the record being viewed appearing in the rendered page, and frankly the only thing that comes to mind is something as stupid as the server code being powered by an Excel spreadsheet using VBA to translate the sheet into HTML (which would require a degree of deliberation and malice that I really don’t want to think about).

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...