The Social Security numbers of school teachers, administrators and counselors across Missouri were vulnerable to public exposure due to flaws on a website maintained by the state’s Department of Elementary and Secondary Education.
The Post-Dispatch discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials. The department removed the affected pages from its website Tuesday after being notified of the problem by the Post-Dispatch.
Based on state pay records and other data, more than 100,000 Social Security numbers were vulnerable.
The newspaper delayed publishing this report to give the department time to take steps to protect teachers’ private information, and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities.
“We have worked with our data team and the Office of Administration Information Technology Services Division to get that search tool pulled down immediately, so we can dig in to the situation and learn more about what has happened,” department spokeswoman Mallory McGowin said Tuesday.
It wasn’t immediately clear how long the Social Security numbers and other sensitive information had been vulnerable on the DESE website, nor was it known if anyone had exploited the flaw.
“We’re pretty shocked to hear about this,” said Byron Clemens, spokesman for the local chapter of the American Federation of Teachers, AFT St. Louis Local 420. He praised DESE for taking quick action to remove the affected website, but cautioned, “We don’t know if anybody’s been harmed yet.”
‘A serious flaw’
Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved.
The newspaper asked Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis, to confirm the findings. He called the vulnerability “a serious flaw.”
“We have known about this type of flaw for at least 10-12 years, if not more,” Khan wrote in an email. “The fact that this type of vulnerability is still present in the DESE web application is mind boggling!”
Khan urged the state to perform a thorough audit to ensure no other web applications contain similar vulnerabilities.
According to McGowin, such an audit had begun Tuesday and was still underway at noon Wednesday. She said that as far as she was aware, no other instances of the flaw had been identified.
“Unfortunately, these types of flaws and poor design choices are more common than we’d like,” Khan wrote. “Local and state governments across the country are often still using applications developed many years ago and potentially containing serious security flaws.”
The 2015 audit found that DESE was unnecessarily storing students’ Social Security numbers and other personally identifiable information in its Missouri Student Information System. The audit urged the department to stop that practice and to create a comprehensive policy for responding to data breaches, among other recommendations. The department complied, but clearly at least one other system contained an undetected vulnerability.
The public has a right to see certain kinds of data about teachers because they are public employees, Clemens said. But he wants his members’ private information to be protected.
“We think certificated teachers deserve the same privacy rights as anybody else,” he said.
100,000 at risk
McGowin said Tuesday that the department would discuss its findings with the newspaper by Wednesday evening. However, around 3 p.m., the department’s chief counsel, Sarah Madden, told the Post-Dispatch that the department would communicate no further on the matter.
And by Wednesday evening, the department had sent out a letter to teachers and posted a press release on its website.
In both, the department minimized impact, and then blamed the Post-Dispatch for discovering the vulnerability.
In the letter to teachers, Education Commissioner Margie Vandeven said “an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.”
In reality, the Post-Dispatch discovered the vulnerability and confirmed that the nine-digit numbers were indeed Social Security numbers. The paper then told the department that it had confirmed the vulnerability with three educators and a cybersecurity expert.
But in the press release, DESE called the person who discovered the vulnerability a “hacker” and said that individual “took the records of at least three educators” — instead of acknowledging that more than 100,000 numbers had been at risk, and that they had been available to anyone through DESE’s own search engine.
“For those educators determined to be impacted by this vulnerability, the state will make every effort to contact you directly as soon as possible to share information about the next steps,” Vandeven said in her letter.
Post-Dispatch attorney Joseph Martineau, of Lewis Rice, responded to DESE’s statements late Wednesday:
“The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse,” Martineau said in a written statement. “A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent.
“For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”
In this Series
- 7 updates