Missouri will provide teachers credit monitoring after state security flaw found by reporter
The social security numbers of approximately 620,000 teachers were potentially exposed by a flaw in a state website. Missouri Gov. Mike Parson has vowed prosecution of the reporter who informed the state of the issue, drawing criticism from lawmakers and cybersecurity experts.
Nearly a month after a reporter identified a security flaw in a state website that exposed teachers’ social security numbers, the state announced Wednesday it was offering a year of credit monitoring services to hundreds of thousands of teachers whose personal information was put at risk
According to the Department of Elementary and Secondary Education (DESE), the personal information of approximately 620,000 current and former teachers was at risk of public disclosure — more than six times the initial 100,000 Social Security numbers the St. Louis Post-Dispatch originally estimated were vulnerable.
Last month, a St. Louis Post-Dispatch reporter discovered the security flaw, notified the state of the issue and promised to hold publication of a story until it was fixed. Instead, state departments and Gov. Mike Parson labeled the reporter a “hacker” and vowed to seek criminal prosecution.
DESE, along with the Office of Administration’s Information Technology Services Division, will provide a year of credit and identity theft monitoring services through IDX, a consumer privacy platform. The state is unaware of any misuse of teachers’ social security numbers, and teachers can expect to receive notices with details of the monitoring services.
By using an existing multi-state contract, the credit monitoring services are estimated to cost about $800,000, according to a news release.
Last month at a press conference where he refused to answer questions, Parson said the incident may cost the state upwards of $50 million — a figure some Democratic lawmakers doubted — and said his administration would stand up “against any and all perpetrators who attempt to steal personal information and harm Missourians.”
Republican and Democratic lawmakers and cybersecurity experts quickly pushed back on the state’s characterization of the reporter’s efforts. Shaji Khan, an associate professor at University of Missouri-St. Louis who spoke to the newspaper in its reporting, demanded a public apology from state officials and payment for his legal costs.
A spokesman for the Missouri State Highway Patrol said Wednesday that its investigation is ongoing.
Noticeably, the term “hacker” was absent from Wednesday’s news release.
This story was originally published on the Missouri Independent.