[BreachExchange] Parson vows to ‘utilize all legal methods’ after Post-Dispatch employee discovers DESE website vulnerability

[Terrell Byrd]

https://themissouritimes.com/parson-vows-to-utilize-all-legal-methods-after-post-dispatch-employee-discovers-dese-website-vulnerability/


Gov. Mike Parson vowed to hold “perpetrators” responsible after educators’
personal information on the Department of Elementary and Secondary
Education’s (DESE) website was compromised.

The whole matter — which the governor called a “hack” — could cost the
taxpayers up to $50 million, Parson said.

Parson said an individual obtained personal information, including Social
Security numbers, of at least three teachers through a “multistep process”
that decoded and converted the data. The Cole County prosecutor has been
notified, and the Missouri State Highway Patrol’s Digital Forensic Unit
will conduct an investigation “of all of those involved.”

“This administration is standing up against any and all perpetrators who
attempt to steal personal information and harm Missourians. It is unlawful
to access encoded data and systems in order to examine other peoples’
personal information,” Parson said during a press conference Thursday
morning. “We are coordinating state resources to respond and utilize all
legal methods available.”

In a story Wednesday, the St. Louis Post-Dispatch said one of its employees
had “discovered the vulnerability in a web application” and notified DESE.

The newspaper’s attorney, Joseph Martineau of Lewis Rice, said:

“The reporter did the responsible thing by reporting his findings to DESE
so that the state could act to prevent disclosure and misuse. A hacker is
someone who subverts computer security with malicious or criminal intent.
Here, there was no breach of any firewall or security and certainly no
malicious intent.”

“For DESE to deflect its failures by referring to this as ‘hacking’ is
unfounded. Thankfully, these failures were discovered.”

The Post-Dispatch said it held off in publishing its story in order to give
DESE time to correct the website.

But Parson said the individual did not have the authorization to decode the
personal information gleaned from the website, saying “this was clearly a
hack.”

“This matter is a serious matter. The state is committing to bring to
justice anyone who hacked our system and anyone who aided and encouraged
them to do so,” Parson said. “This individual is not a victim. They were
acting against the state agency to compromise teachers’ personal
information in an attempt to embarrass the state and sell headlines for
their news outlet.”

DESE’s website compiles teacher information that can be accessed by local
school districts when verifying an educator’s certification. The last four
digits of a person’s SSN can be used to identify an educator.

Upon discovering the vulnerability Tuesday, DESE notified the Office of
Administration’s Information Technology Services Division (OA-ITSD) which
administers the website the information was housed on, and public access to
the system was closed.

“These records were only accessible on an individual basis, and there was
no option to decode SSNs for all educators in the system all at once,” DESE
Commissioner Margie Vandeven said in a letter to educators. “The state is
unaware of any misuse of individual information or even whether information
was accessed inappropriately outside of this isolated incident. The
situation is in the early stages of investigation.”

Parson said the state is working to strengthen its security to prevent a
similar “incident.”

“We apologize to the hardworking Missouri teachers who now have to wonder
if [their] personal information was compromised for pathetic, political
gain by what is supposed to be one of Missouri’s news outlets,” the
governor said.

The tool has been online for a decade and has been reviewed multiple times
with no vulnerability found, according to the Office of Administration.

Missouri Chief Information Officer Jeff Wann said the division quickly
responded to the issue and surveyed other sites for similar
vulnerabilities.

“As new threats continually arise, ITSD acts quickly to address those
threats,” Wann said. “Upon learning of this vulnerability, ITSD removed
public access from the system and updated the code to remediate the
vulnerability immediately. All similarly situated public-facing systems
were evaluated for this vulnerability and no other instances were found.
Modernizing the state’s systems is a high priority to assure ever-changing
security threats are addressed.”

Wann and Vandeven encouraged educators to monitor credit reports to ensure
their information was not being used.

A 2015 report from Auditor Nicole Galloway raised concerns over DESE’s
Missouri Student Information System, a student information reporting system
that also compiles Social Security numbers in some cases. Galloway
recommended keeping personal information at a minimum to limit the
potential negative effects of a data breach.

Department of Public Safety Director Sandy Karsten joined Parson at the
morning press conference although she did not speak. Vandeven was not in
attendance.

Officials did not take questions following Parson’s remarks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211014/cc99e7ef/attachment.html>