The St. Louis Post Dispatch reported a flaw in a Missouri state website maintained by the Department of Education. Reporters for the newspaper discovered teachers’ Social Security numbers were embedded in the source code of a web application that allowed the public to search for teachers in the state. The Post Dispatch warned the department of the vulnerability and waited for them to take it down before reporting on the issue.
Governor Mike Parson condemned the newspaper for their action and promised legal action against the reporters and the newspaper itself in a press conference after the reporting was made public.
“This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians,” Parson said. “It is unlawful to access encoded data and systems in order to examine other peoples’ personal information. We are coordinating state resources to respond and utilize all legal methods available.”
However, the cybersecurity community has a different view of the vulnerability. The newspaper warned the Department of Education of the vulnerability and held the story until the data was offline. The Social Security numbers were found in the HTML of the site, meaning they were available to anyone with a web browser. Additionally, the Governor’s comments could discourage future individuals from reporting a vulnerability.
This month the Missouri State Auditor found numerous issues with the state’s cybersecurity practices. The report dated October 2021 cited issues with weak and shared passwords, backups not being stored securely, and system access that continues to be open to former employees.
State and local governments are in the cybersecurity news often for breaches. Typically, the report after the breach shows numerous security failings. Poor password practices, unused systems being left online, and unprotected backups are patterns we have seen before.
Instead of owning the problem, the school board is looking to place blame on the media. The media handled this correctly. The school board should be focused on fixing their issues and protecting the identity of their teachers. This should serve as a lesson for others to strengthen their cybersecurity practices.
Quanexus IT Support Services for Dayton and Cincinnati
Request your free network assessment today. There is no hassle, or obligation.
If you would like more information, contact us here or call 937.885.7272.
Follow us on Facebook, Twitter and LinkedIn and stay up to date on by subscribing to our email list.
