December 7, 2021

Missouri Gov. Parson estimates investigation of ‘hack’ into teacher database by St. Louis Post-Dispatch to cost $50 million

Missouri Gov. Mike Parson on Thursday estimated an investigation into the St. Louis Post-Dispatch’s detection and reporting of a security vulnerability on the Department of Elementary and Secondary Education’s (DESE) website will cost taxpayers $50 million.

“My administration has notified the Cole County prosecutor of this matter,” Gov. Parson said during an announcement outside his office, accompanied by Capt. John Hotz of the Missouri State Highway Patrol and Sandra Kasten, director of the Department of Public Safety. “The Missouri State Highway Patrol’s digital forensic unit will also be conducting an investigation of all of those involved. This incident alone may cost Missouri taxpayers as much as $50 million and divert workers and resources from other state agencies. This matter is a serious matter. The state is committing to bring to justice anyone who hacked our system, and anyone who aided or encouraged them to do so.”

Parson struggled reading the technical words in his prepared statement describing the situation. At least one member of his own party said his assessment was incorrect.

“It’s clear the Governor’s office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities,” Rep. Tony Lovasco, R-St. Charles, posted on social media. “Journalists responsibly sounding an alarm on data privacy is not criminal hacking.” According to his biography on the House website, Lovasco’s has 16 years of experience in computer sales and software deployment.

Hundreds of replies and comments on Parson’s posts on social media echoed Lovasco’s comments.

“What this really boils down to is an issue of sloppy coding and sloppy implementation,” said Joseph Scherrer, director of the Cybersecurity Strategic Initiative at Washington University in St. Louis, in an interview with The Center Square. “This is rampant and it’s not just with the state of Missouri. It’s probably at the Post-Dispatch.”

The St. Louis Post-Dispatch contacted DESE on Tuesday about a vulnerability in DESE’s website. It forwarded proof by sending three social security numbers of teachers it detected in HTML code, visible to anyone who elects to view it with most internet browsers. For instance, pressing F12 when using Google Chrome to view a page will reveal the HTML code.

“I wouldn’t call it a hack,” Scherrer said. “There was no sophisticated technology or expertise needed here. It was more of a data exposure that was discovered. Not that it wasn’t a vulnerability in the database. It was an exposure of personally identifiable information and something easily fixed.”

The Post-Dispatch reported it delayed publishing its story to give DESE time to protect private data and allow the state to ensure no other web applications had similar problems.

Sarah Madden, DESE’s chief counsel, told the Post-Dispatch on Wednesday afternoon the department wouldn’t communicate further on the subject. On Wednesday evening, the Missouri’s Office of Administration distributed a news release addressing “data vulnerability.”

“Through a multi-step process, a hacker took the records of at least three educators, decoded the HTML source code, and viewed the social security number of those specific educators,” the release said.

DESE’s online information allows the public to search individual teacher certifications and credentials. The Post-Dispatch estimated 100,000 SSNs were at risk, according to state pay records and other data.

“Everything should be as secure as possible with a state education agency and schools,” said Sajal Das, a computer science professor at Missouri University of Science and Technology. “Expert hackers can get into credit card companies and databases. No system is foolproof.”

A review of DESE’s information system governance resulted in a “good” rating in 2015 by Democrat Auditor Nicole Galloway. The report found a need for improvement in management policies and procedures and to fully establish security and privacy controls.

Parson accused the Post-Dispatch of using teacher information to intentionally humiliate the state.

“This individual is not a victim,” Parson said. “They were acting against a state agency to compromise teacher personal information in attempt to embarrass the state and sell headlines for their news outlet. We will not let this crime against Missouri teachers go unpunished and we refuse to let them be a pawn in the news outlet’s political vendetta. Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them.”

Parson publicly criticized the Post-Dispatch in July. He admonished Missourians not to read coverage of the pandemic and COVID-19 vaccination rates in the publication, the Kansas City Star and the Missouri Independent.

Joseph Martineau, an attorney with Lewis Rice representing the Post-Dispatch, provided a written statement to the publication on Wednesday regarding DESE’s initial statements.

“The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse,” Martineau said. “A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent.

“For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”

This article was originally posted on Missouri Gov. Parson estimates investigation of ‘hack’ into teacher database by St. Louis Post-Dispatch to cost $50 million