(JEFFERSON CITY, MO) – On October 12, 2021, the Department of Elementary and Secondary Education (DESE) was made aware that the personally identifiable information (PII) of three Missouri educators, which was located within the educator certification data available on DESE’s website, was potentially compromised.
Through a multi-step process, a hacker took the records of at least three educators, decoded the HTML source code, and viewed the social security number (SSN) of those specific educators.
Upon verification of the vulnerability, DESE immediately notified Missouri's Office of Administration Information Technology Services Division (OA-ITSD), as the web application where the vulnerability existed is programmed and maintained by OA-ITSD. The educator certification search tool was disabled immediately by removing public access to the system and updating the code to repair the vulnerability.
It is important to note that these records were only accessible on an individual basis, and there was no option to decode SSNs for all educators in the system all at once. The state is unaware of any misuse of individual information or even whether information was accessed inappropriately outside of this isolated incident.
OA-ITSD is investigating to ensure there are no other potential vulnerabilities within DESE’s data and/or the data collected by other state agencies. In the last 24 hours, OA-ITSD has performed intense testing of all public facing web applications across all state agencies, and has not identified any other vulnerabilities. As an additional measure of precaution, third party penetration testers were engaged to look for this specific vulnerability on state of Missouri websites.
“OA-ITSD takes the security of citizen data very seriously. We utilize multiple tools from multiple vendors to scan for vulnerabilities on a continuous basis, as well as code reviews utilizing secure coding practices,” Jeff Wann, Chief Information Office, State of Missouri said. “As new threats continually arise, ITSD acts quickly to address those threats. Upon learning of this vulnerability, ITSD removed public access from the system and updated the code to remediate the vulnerability immediately. All similarly situated public-facing systems were evaluated for this vulnerability and no other instances were found. Modernizing the State’s systems is a high priority to assure ever changing security threats are addressed.”
Local education agencies (LEAs) are required to verify the certificates held by an educator, and DESE’s certification search tool is one way LEAs can verify that information. In the process of verifying an educator’s information, the last four digits of an educator’s SSN can be used in the certification search tool as a piece of unique information to identify the appropriate educator. If educators have the same name, for example, LEAs can use the last four digits of the educator’s SSN to be sure the LEA is viewing the correct information for the appropriate educator.
DESE’s educator certification search tool was launched in 2011. Since then, OA-ITSD has done a number of vulnerability scans on its web application that contains this information, and those scans did not yield any concerns or potential threats.
Officials at DESE and OA-ITSD are working diligently to determine the severity of the issue in order to take the proper next steps. Educators and other stakeholders can visit dese.mo.gov/data-incident to stay informed about this situation and the ongoing investigation.