Missouri apologizes to 600k teachers who had SSNs and private info exposed, offers credit monitoring | ZDNet

Missouri’s Department of Elementary and Secondary Education (DESE) has apologized to the 620,000 past and present educators who had their sensitive information — including their social security numbers — exposed on the DESE certification database.

Missouri’s Office of Administration Information Technology Services Division (OA-ITSD) and the DESE will send out letters to those affected notifying them that their personally identifiable information “may have been compromised during a recent data vulnerability incident.”

The situation caused national headlines last month because the governor of the state used the incident to attack The St. Louis Post-Dispatch. A reporter from the newspaper discovered a vulnerability in the certification database that exposed teacher data, notified the DESE and gave them time to fix it before publishing his story. 

But Missouri Governor Mike Parson claimed the reporter had “hacked” the database himself and threatened legal charges against him. Since being ridiculed by cybersecurity professionals — and even members of his own party — Parson has used the incident to fundraise for himself, bringing in about $85,000 thanks to an ominous video doubling down on the hacking accusations, according to the Post-Dispatch. 

But DESE officials alongside members of OA-ITSD apologized this week to the teachers who had their data exposed and offered 12 months of credit and identity theft monitoring resources through IDX. 

“Educators have enough on their plates right now and I want to apologize to them for this incident and the additional inconvenience it may cause them,” said Commissioner of Education Margie Vandeven. 

“It is unacceptable. The security of the data we collect is of the utmost importance to our agency. Rest assured that we are working closely with OA-ITSD to resolve this situation.”

The state claims it is “unaware of any misuse of individual information or if information was accessed inappropriately outside of an isolated incident.” But officials said that “out of an abundance of caution and in the unlikely event that this information was inappropriately accessed outside this single incident,” they wanted to provide teachers with some protection. 

Those who may have been affected by the issue can call the IDX Call Center at 833-325-1777.

DESE explained that the reporter told them he was able to view the social security numbers of certain teachers “through a multi-step process,” that involved accessing the certification records of at least three educators and then taking the encoded source data from that webpage and “decoding that data.”

“Educators’ PII was only accessible on an individual basis within this search tool, and there was no option to decode SSNs for all educators in the system all at once. Upon verification of the threat, DESE immediately notified OA-ITSD who immediately disabled the educator certification search tool,” the state said. 

“OA-ITSD staff are working now to reconfigure the educator certification search tool and to reinforce security to prevent further unauthorized access of educators’ PII. This incident remains under investigation. The services offered through IDX will cost the state approximately $800,000. The state was able to take advantage of an existing multi-state contract with this vendor, which significantly lowered the cost for the credit and identity theft monitoring services.”

Parson originally claimed during a press conference that the incident would cost the state $50 million as opposed to the $800,000 that is now being spent. Despite the ridicule Parson got from cybersecurity experts, the Missouri Highway Patrol-led investigation into the incident is still ongoing.