By FDI Creative Services on 02/22/2022
Category: Krebs on Security

Report: Missouri Governor’s Office Responsible for Teacher Data Leak

Missouri Governor Mike Parson made headlines last year when he vowed to criminally prosecute a journalist for reporting a security flaw in a state website that exposed personal information of more than 100,000 teachers. But Missouri prosecutors now say they will not pursue charges following revelations that the data had been exposed since 2011 — two years after responsibility for securing the state’s IT systems was centralized within Parson’s own Office of Administration.

Missouri Gov. Mike Parson (R), vowing to prosecute the St. Louis Post-Dispatch for reporting a security vulnerability that exposed teacher SSNs.

In October 2021, St. Louis Post-Dispatch reporter Josh Renaud alerted Missouri education department officials that their website was exposing the Social Security numbers of more than 100,000 primary and secondary teachers in the state. Renaud found teachers’ SSNs were accessible in the HTML source code of some Missouri education department webpages.

After confirming that state IT officials had secured the exposed teacher data, the Post-Dispatch ran a story about their findings. Gov. Parson responded by holding a press conference in which he vowed his administration would seek to prosecute and investigate “the hackers” and anyone who aided the publication in its “attempt to embarrass the state and sell headlines for their news outlet.”

“The state is committed to bringing to justice anyone who hacked our systems or anyone who aided them to do so,” Parson said in October. “A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert or decode, so this was clearly a hack.”

Parson tasked the Missouri Highway Patrol to produce a report on their investigation into “the hackers.”  On Monday, Feb. 21, The Post-Dispatch published the 158-page report (PDF), which concluded after 175 hours of investigation that Renaud did nothing wrong and only accessed information that was publicly available.

Emails later obtained by the Post-Dispatch showed that the FBI told state cybersecurity officials that there was “not an actual network intrusion” and the state database was “misconfigured.” The emails also revealed the proposed message when education department leaders initially prepared to respond in October:

“We are grateful to the member of the media who brought this to the state’s attention,” was the proposed quote attributed to the state’s education commissioner before Parson began shooting the messenger.

The Missouri Highway Patrol report includes an interview with Mallory McGowin, the chief communications officer for the state’s Department of Elementary and Secondary Education (DESE). McGowin told police the website weakness actually exposed 576,000 teacher Social Security numbers, and the data would have been publicly exposed for a decade.

McGowin also said the DESE’s website was developed and maintained by the Office of Administration’s Information Technology Services Division (ITSD) — which the governor’s office controls directly.

“I asked Mrs. McGowin if I was correct in saying the website was for DESE but it was maintained by ITSD, and she indicated that was correct,” the Highway Patrol investigator wrote. “I asked her if the ITSD was within the Office of Administration, or if DESE had their on-information technology section, and she indicated it was within the Office of Administration. She stated in 2009, policy was changed to move all information technology services to the Office of Administration.”

The report was a vindication for Renaud and for University of Missouri-St. Louis professor Shaji Khan, who helped the Post-Dispatch verify that the security flaw existed. Khan was also a target of Parson’s vow to prosecute “the hackers.” Khan’s attorney Elad Gross told the publication his client was not being charged, and that “state officials committed all of the wrongdoing here.”

“They failed to follow basic security procedures for years, failed to protect teachers’ Social Security numbers, and failed to take responsibility, instead choosing to instigate a baseless investigation into two Missourians who did the right thing and reported the problem,” Gross told The Post-Dispatch. “We thank the Missouri State Highway Patrol and the Cole County Prosecutor’s Office for their diligent work on a case that never should have been sent to them.”

Related Posts