Missouri Admits It Fucked Up In Exposing Teacher Data, Offers Apology To Teachers -- But Not To Journalists It Falsely Accused Of Hacking
from the be-better-missouri dept
As you'll recall, last month, journalists for the St. Louis Post-Dispatch revealed that the state's Department of Elementary and Secondary Education (DESE) website was exposing teacher and administrator social security numbers in the HTML source code. This came years after state auditors had highlighted that DESE was already collecting information it should not have been collecting. Bizarrely, DESE and Missouri governor Mike Parson, rather than thanking these journalists for helping to protect the teachers, accused them of being hackers and promising to prosecute them. After people mocked him, he doubled down on the claim and a PAC closely connected to Parson put out a bizarre add playing up the evil "hacking" by the "fake news" media, along with ridiculous talk about "decoding the HTML source code."
Except that, now, DESE has (much more quietly, and with much less bombast) apologized for the data breach and offered credit and identity theft monitoring to teachers:
The Department of Elementary and Secondary Education (DESE), in conjunction with Missouri's Office of Administration Information Technology Services Division (OA-ITSD), will begin to send letters in the coming days to certificated educators across the state whose personally identifiable information (PII) may have been compromised during a recent data vulnerability incident.
Note the changing description here. What they were previously calling a "hack" is now, more accurately, called a "data vulnerability incident." Though, a more accurate description would be that DESE exposed private data of teachers and administrators. Taking responsibility for that would mean being a bit more upfront about that. DESE messed up. Own it.
The state is unaware of any misuse of individual information or if information was accessed inappropriately outside of an isolated incident. However, out of an abundance of caution and in the unlikely event that this information was inappropriately accessed outside this single incident, the State of Missouri is offering 12 months of credit and identity theft monitoring resources through IDX to the approximately 620,000 past and present certificated educators whose PII was contained in the DESE certification database.
So, what's notable here is that with all the claims of "hacks" being thrown around, DESE and the Governor kept insisting that just 3 individuals, whose info the reporters checked on, were exposed, and refused to admit that it actually impacted a very large number of teachers and administrators. Now, buried in the middle of this notice, we find out that the records of 620,000 teachers and administrators were exposed, including past employees. Wow.
And, also, there's at least some kind of apology, even if it's a bit of a mealy-mouthed one:
“Educators have enough on their plates right now and I want to apologize to them for this incident and the additional inconvenience it may cause them,” said Commissioner of Education Margie Vandeven. “It is unacceptable. The security of the data we collect is of the utmost importance to our agency. Rest assured that we are working closely with OA-ITSD to resolve this situation.”
Notice, however, that the apology is only to the teachers and administrators and not to the journalists DESE and the Governor falsely accused of hacking. Perhaps that's because -- as the Kansas City Star reports -- the journalists are still being investigated for possible prosecution:
That investigation is still ongoing, according to patrol Capt. John Hotz. Those interviewed so far have included Shaji Khan, a University of Missouri - St. Louis cybersecurity expert whom the Post-Dispatch consulted to verify the data flaw. Cole County Prosecutor Locke Thompson will ultimately make a decision on whether to bring charges.
Hell, in the description of what happened, DESE ignores that it previously accused the reporters of hacking, refuses to even call them reporters (refering to them as "an individual") and then still plays up that the data needed to be "decoded."
As previously announced by OA, on October 12, 2021, DESE was made aware that the PII of at least three Missouri educators was potentially compromised. The information was located within the educator certification data available on DESE’s website. An individual told DESE that they, through a multi-step process, accessed the certification records of at least three educators, took the encoded source data from that webpage, decoded that data, and then viewed the social security number (SSN) of those specific educators. Educators’ PII was only accessible on an individual basis within this search tool, and there was no option to decode SSNs for all educators in the system all at once.
Again, if you click on the "previously announced" link, it takes you right to the announcement that calls the reporter "a hacker" and accuses them of "taking records."
Notably, Governor Mike Parson, who was so eager to call the journalists hackers and call for their prosecution has not (as of me writing this) said anything directly on Twitter about all this -- other than a bizarre tweet this morning about how "great teachers are crucial to our workforce development goals." Of course, one way to get great teachers is not to expose their data, and then try to cover it up or to blame the responsible and ethical disclosure practices of journalists who actually helped to protect those teachers.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: credit monitoring, data breach, data vulnerability, dese, hacking, journalism, mike parson, missouri, st. louis, teachers
Reader Comments
Subscribe: RSS
View by: Time | Thread
A shame the "Show Me" state refuses to take off it's blindfold.
[ link to this | view in chronology ]
Of course the reporters won’t receive an apology. An apology requires the person(s) apologizing to admit some kind of fault with their own actions.
[ link to this | view in chronology ]
Re:
And since some people are never wrong(in their minds) and their ego can't take the idea that they might be and might have made a fool of themselves in public...
[ link to this | view in chronology ]
It's funny how many companies and government organizations trot out the "the security of the data we collect is of the utmost importance" line AFTER an easily preventable breach or (as in the case here) blatant information security malpractice. If the security of users were truly important to them, it wouldn't be an afterthought, and they wouldn't be attacking the white hats who properly disclose vulnerabilities in a responsible manner.
[ link to this | view in chronology ]
Re:
The "your call is important to us" (so we're putting you on 90 minute hold rather than employ more people) mindset: If we say it's important, then that's enough.
[ link to this | view in chronology ]
Re:
"It's funny how many companies and government organizations trot out the "the security of the data we collect is of the utmost importance" line AFTER an easily preventable breach..."
Given that the WCry trojan was designed by a leaked NSA spy kit we know already that not even the most competent and best funded intel organizations can keep their data secured. What hope does a rural backwards state with half a leg still in the 18th century have?
You sort of have to admire the sheer unadulterated Chutzpah of these fuckwit grifters when they keep standing in front of the yawning door of the empty barn claiming that keeping the horses secured is the highest priority.
[ link to this | view in chronology ]
'Here's an ounce, now we're off to demand a pound...'
If anything offering credit and identity monitoring for a year to the teachers affected while still going after the reporters who exposed the problem is more an insult than an apology to them because the state is still sticking with a strategy that all but ensures that the next time the state screws up those with good intentions will look the other way lest they be targeted for harassment while those will ill intentions dive right in to exploit the vulnerability.
It's like slapping a bandaid on a stab wound and pretending that that's all that's needed except worse as continuing to run with that idea the bandaid in question is designed to make the person more likely to be stabbed again in the future.
[ link to this | view in chronology ]
Re: 'Here's an ounce, now we're off to demand a pound...'
It's like the state stabbing them with a knife, and when reporters point this out, the state then slaps a bandaid on the wound and charge the reporters with the stabbing.
[ link to this | view in chronology ]
BREAKING NEWS: Schools Install Hacking Software
Big Tech company Google was caught red-handed offering a hacking tool to schools and even the general public. The tool in question, Google Chrome, is known to decode HTML code and even display the source code of the content it displays with a simple right-click function. There are even reports that people can use an inspect tool to temporarily change what a webpage says without the authorization of the website owner. Google laughed off requests for comment, but Missouri's governor is insistent that it will hold all who downloaded and used the tool accountable as well as investigate schools that use the software in question.
[ link to this | view in chronology ]
Re: BREAKING NEWS: Schools Install Hacking Software
Stop channeling tp...
[ link to this | view in chronology ]
Re: Re: BREAKING NEWS: Schools Install Hacking Software
At least we all know Rico is joking rather than being insane like tp (for my bunghole!) is…
[ link to this | view in chronology ]
Re: Re: Re: BREAKING NEWS: Schools Install Hacking Software
Yeah, and his post is hilariously close to something tp would actually say.
[ link to this | view in chronology ]
Re: Re: Re: Re: BREAKING NEWS: Schools Install Hacking Software
I remember when commenters would post accurate parodies of out_of_the_blue. Good times, good times.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: BREAKING NEWS: Schools Install Hacking Softw
That's sooooo last decade...
[ link to this | view in chronology ]
Re: BREAKING NEWS: Schools Install Hacking Software
In other NEWS!!!
Missouri's governor is suing the descendants of Leonardo Da Vinci because he wrote the Da Vinci Code, which is the precursor of all modern computing code, including encryption and decryption, and thus is principally responsible for this egregious data hack and the enablement of Big Tech. The governor further moved to arrest and jail all perpe"traitors" of ROT26, "whatever that heinous hell-code is".
"These hackers are using specific decoders to intercept our information. From here on we'll be defeating them by the use of 'plain-text encoding'", the governor was alleged to have said.
[ link to this | view in chronology ]
Permit blocking of view-source
[ link to this | view in chronology ]
Credit monitoring for less than $2/teacher? Guess the state is still on the cheap...
[ link to this | view in chronology ]
Shocked!
Imagine my surprise when I saw that governor is a republican.
[ link to this | view in chronology ]
Re: Shocked!
Shocking, innit?
At the end of the day we have Goldwater and Nixon's "Southern Strategy" to thank for the GOP going from being the party of intellectual liberalism and hard science sceptical of religion to being the party of hysterical fearmongering morons competing in grifting.
I keep wanting to ask wtf happened but, alas, I'm fairly well read both on German tween-wars history as well as the US 60's and 70's. I know damn well what happened and how.
[ link to this | view in chronology ]
I know it can't/won't/shouldn't happen but I'd love to see the Gov sued for this fiasco.
They should have known better than to put SS numbers on anything publicly accessible.
They should have had audits, this shits been going on for years.
They had no idea what the journalists had accessed, which means they have no idea what some curious "hacker" managed to find in the years they thought SS "hiden" in the html was a great idea.
He lied about this being a hack & tried to blame the reporters who did everything in a responsible way. The fact the case is still open raises questions about the mental competency of those investigating and pondering if to charge or not.
"we find out that the records of 620,000 teachers and administrators were exposed, including past employees."
620,000 people got screwed by these assholes & will end up having to deal with any fallout of the complete failure of the state to do even the most basic security things.
On a side thought, how many more millions of SS numbers getting leaked will finally force the government to block using SS numbers for getting credit? (Remembers that this is the same government who made medicare id's peoples SS numbers despite there being widespread fraud that they expected people in their 80s to discover & report to them).
Imagine if the law held the victims of id theft as actual victims & put the cleanup of the wreckage on the lender & the credit agency. I imagine that securing their networks might take priority after the first couple million they end up on the hook for. Citizens can do everything right, but are always left to clean up the mess made by others who thought rot13 was uncrackable.
[ link to this | view in chronology ]
"An individual told DESE that they, through a multi-step process, accessed the certification records of at least three educators, took the encoded source data from that webpage, decoded that data, and then viewed the social security number (SSN) of those specific educators"
A reminder before the usual technology clueless suspects turn up that encoding and encryption are not the same thing. Whether the information was encoded in base64 or in Finnish, translating the plain text into readable English is not the same as bypassing encryption. If decoding the text was illegal, you would still be seeing the HTML tags on the displayed page.
Also a reminder that trying to prosecute journalists for telling you about a laughably basic security flaw is always something that will backfire on you, from having the globe laughing at you with these articles, to people just letting the actual black hats steal your data next time. If you made such a basic screw up here, it's likely you have others, and nobody's going to tell you about those ones now.
"Educators’ PII was only accessible on an individual basis within this search tool, and there was no option to decode SSNs for all educators in the system all at once."
Oh, cool, so if you're only letting one user at a time get doxxed instead of your entire staff at once, that's acceptable?
[ link to this | view in chronology ]
Re:
"If you made such a basic screw up here, it's likely you have others"
The first rule of software testing: bugs never travel alone.
[ link to this | view in chronology ]
You have 99 bugs in your program. You patch one. You now have 127 bugs in your program.
[ link to this | view in chronology ]
Re:
I have 99 bugs but a feature ain't one.
[ link to this | view in chronology ]
Re:
You've seen my code :)
[ link to this | view in chronology ]
Resolve
So... it hasn't been resolved? The SSNs are still there in the source code?
[ link to this | view in chronology ]