JEFFERSON CITY — Nearly a month after the Post-Dispatch notified the state of a vulnerability in one of its databases, officials announced Wednesday they are offering a year’s worth of credit monitoring services to an estimated 620,000 current and former teachers.
The identity theft monitoring service, first reported by the newspaper last week, will cost an estimated $800,000, which is far lower than the $50 million Gov. Mike Parson said the incident could cost taxpayers.
The company, , has managed thousands of data breach events since 2003.
In a statement, the Department of Elementary and Secondary Education said it is sending letters in the coming days to certificated educators across the state whose personally identifiable information may have been compromised.
People are also reading…
“The state is unaware of any misuse of individual information or if information was accessed inappropriately outside of an isolated incident,†the statement said.
DESE spokeswoman Mallory McGowin said the service was being extended to the pool of more than 600,000 educators “out of an abundance of caution.â€
“The database contains records for all certificated educators, including anyone who holds any kind of teaching certificate, including substitute teachers and school administrators. There is also a relatively small number of non-certificated individuals who had information in the database because their information was uploaded into DESE’s Core Data system by their school district,†McGowin said.
Commissioner of Education said she was sorry for the potential breach.
“Educators have enough on their plates right now and I want to apologize to them for this incident and the additional inconvenience it may cause them,†Vandeven said. “It is unacceptable. The security of the data we collect is of the utmost importance to our agency.â€
The Post-Dispatch discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials.
The newspaper delayed publishing its report until the Department of Elementary and Secondary Education had removed the affected pages from its website and the state had time to examine other agencies’ web applications for similar vulnerabilities.
The security flaw on DESE’s website included Social Security numbers in the HTML source code of a web application that allowed the public to look up teachers’ certification status. The information was not encrypted and did not require authentication by website users.
How long the Social Security numbers and other sensitive information had been vulnerable on the DESE website or whether anyone had exploited the flaw is unknown.
Following the initial report on the state’s vulnerabilities, Gov. Mike Parson accused the newspaper of hacking the website in a “crime against Missouri teachers†and called for an investigation by the Cole County prosecutor and the Missouri Highway Patrol.
Parson’s declaration was met with derision from cybersecurity experts and earned national media attention.
The investigation is ongoing.
Following Parson’s tirade, the governor’s political action committee launched a video highlighting his attacks on the newspaper.
The 55-second video by the Uniting Missouri PAC praises Parson for standing up to the state’s “fake news factory.†It also suggests the reporter was “digging around†in personal data about teachers.
Since then, Uniting Missouri has collected at least $85,000 in contributions, according to reports filed with the Missouri Ethics Commission. Among the contributors were Baker Implement Co. of Kennett and Martin Grain Co. of Bernie.
In this Series
Essential reading: Governor threatens Post-Dispatch after discovery of data vulnerability
-
The Chat Room: How dangerous is Gov. Mike Parson’s failed attempt to prosecute a Post-Dispatch reporter?
-
Inside the Post-Dispatch: Josh Renaud reacts to the Missouri governor's accusation
-
No apology: Parson says he still has questions about disclosure of teachers’ Social Security numbers
- 22 updates