The state department of elementary and secondary education was hacked and the social security numbers of three Missouri educators were potentially compromised, the department noted on Tuesday.
Personally identifiable information, including Social Security numbers, of three Missouri educators was accessed through the state’s educator certification data on the DESE website on October 12.
The hacker took the files of at least three educators, decoded the HTML source code and accessed social security numbers.
Upon verification, DESE notified the Missouri Office of Administration of the Information Technology Services Division – the department responsible for creating and maintaining the website application that was compromised.
OA-ITSD has disabled the Educator Certification Finder by removing public access and updated the code to fix its vulnerability.
“OA-ITSD takes citizen data security very seriously. We use multiple tools from multiple vendors to scan for vulnerabilities on an ongoing basis, as well as code reviews using secure coding practices, ”said Jeff Wann, chief information officer for Missouri. “As new threats continually arise, ITSD is moving quickly to address them. After learning about the vulnerability, the ITSD removed public access to the system and updated the code to immediately address the vulnerability. All public systems in the same situation have been assessed for this vulnerability. and no other cases were found. Modernizing government systems is a high priority to ensure that evolving security threats are addressed. “
The compromised data is linked to a 2011 DESE tool that local education agencies can use to verify certificates held by educators.
Local education agencies may use the last four digits of an educator’s social security number as unique information when looking to verify certifications.
Educator records were viewed on an individual basis as there is no option to decode Social Security numbers for all educators at once.
According to an OA press release, the state is not currently aware of any misuse of individuals’ information.
The OA-ITSD continues to investigate the incident to ensure there are no additional issues in the DESE data or data collected by other state agencies.
It has tested all public web applications in all state agencies and has not identified any additional vulnerabilities in the past 24 hours.
Additionally, third-party penetration testers have been invited to examine this vulnerability on all state government websites.
The OA-ITSD has previously performed vulnerability scans of DESE’s Educator Certification Finder, none of which identified any issues or potential threats.
DESE and OA-ITSD will continue to assess the situation and determine next steps. Updates will be posted to dese.mo.gov/data-incident.