![\"\"](\"https:\/\/hoorfarlaw.com\/blog\/wp-content\/uploads\/2021\/10\/social-security.jpg\")
<\/a><\/figure><\/div>\n\n\n\nThe newspaper delayed publishing this report to give the department time to take steps to protect teachers\u2019 private information, and to allow the state to ensure no other agencies\u2019 web applications contained similar vulnerabilities.<\/p>\n\n\n\n
It wasn\u2019t immediately clear how long the Social Security numbers and other sensitive information had been vulnerable on the DESE website, nor was it known if anyone had exploited the flaw.<\/p>\n\n\n\n
Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers\u2019 Social Security numbers were contained in the HTML source code of the pages involved.<\/p>\n\n\n\n
The 2015 audit found that DESE was unnecessarily storing students\u2019 Social Security numbers and other personally identifiable information in its Missouri Student Information System. The audit urged the department to stop that practice and to create a comprehensive policy for responding to data breaches, among other recommendations. The department complied, but clearly at least one other system contained an undetected vulnerability.<\/p>\n\n\n\n
In the letter to teachers, Education Commissioner Margie Vandeven said \u201can individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.\u201d<\/p>\n\n\n\n
In reality, the Post-Dispatch discovered the vulnerability and confirmed that the nine-digit numbers were indeed Social Security numbers. The paper then told the department that it had confirmed the vulnerability with three educators and a cybersecurity expert.<\/p>\n\n\n\n
But in the press release, DESE called the person who discovered the vulnerability a \u201chacker\u201d and said that individual \u201ctook the records of at least three educators\u201d \u2014 instead of acknowledging that more than 100,000 numbers had been at risk, and that they had been available to anyone through DESE\u2019s own search engine.<\/p>\n\n\n\n
\u201cFor those educators determined to be impacted by this vulnerability, the state will make every effort to contact you directly as soon as possible to share information about the next steps,\u201d Vandeven said in her letter.<\/p>\n\n\n\n
Post-Dispatch attorney Joseph Martineau, of Lewis Rice, responded to DESE\u2019s statements late Wednesday:<\/p>\n\n\n\n
\u201cThe reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse,\u201d Martineau said in a written statement. \u201cA hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent.<\/p>\n\n\n\n
\u201cFor DESE to deflect its failures by referring to this as \u2018hacking\u2019 is unfounded. Thankfully, these failures were discovered.\u201d<\/p>\n\n\n\n
What teachers can do<\/strong><\/h4>\n\n\n\nShaji Khan, a cybersecurity professor at the University of Missouri-St. Louis, recommended that Missouri teachers request a free credit report<\/a> from the three major credit bureaus \u2014 Equifax, Transunion and Experian \u2014 and monitor them carefully. Teachers should place a credit freeze with the bureaus if they notice suspicious activity, he said.<\/p>\n\n\n\nPeople who believe their identity has been stolen<\/a> may report it to the Federal Trade Commission at www.identitytheft.gov<\/a>.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"The Social Security numbers of school teachers, administrators and counselors across Missouri were vulnerable to public exposure due to flaws on a website maintained by the state\u2019s Department of Elementary and Secondary Education. The Post-Dispatch discovered the vulnerability in a … Continue reading
People who believe their identity has been stolen<\/a> may report it to the Federal Trade Commission at www.identitytheft.gov<\/a>.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":" The Social Security numbers of school teachers, administrators and counselors across Missouri were vulnerable to public exposure due to flaws on a website maintained by the state\u2019s Department of Elementary and Secondary Education. The Post-Dispatch discovered the vulnerability in a … Continue reading