A reporter at the St. Louis Post-Dispatch who alerted the Missouri Department of Elementary and Secondary Education (DESE) that a web application was leaking the sensitive data of teachers and other school workers has been reported to the Cole County prosecutor by state Governor Mike Patterson. Governor Patterson has also threatened to initiate criminal proceedings against anyone who assisted the reporter or who also accessed the data, in what appears to be a case of shoot the messenger.
On Twitter, Governor Patterson said, “Through a multi step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSNs of those specific educators. We notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit will investigate.” At a news conference, Governor Patterson said, “This individual did not have permission to do what they did. They had no authorization to convert or decode. So, this was clearly a hack.” Governor Patterson said this incident could end up costing taxpayers up to $50 million and that the reporting of the story was intended to embarrass the state and was part of a ‘political vendetta’ by the paper.
The reporter in question discovered Social Security numbers were being exposed and confirmed the issue with a cybersecurity expert. The reporter then notified the DESE, which addressed the issue the same day. In accordance with responsible disclosure protocols, the reporter did not go public about the data exposure until after the issue had been resolved.
Social Security numbers appear to have been present in data fields that are usually hidden to website visitors but can be viewed by looking at the HTML of the page. The HTML code that was “decoded” can be viewed using a standard web browser, by changing the settings to view source code.
The issue appears to be with a web application that has been active since 2011. It is used by local education authorities to verify the certifications and credentials of teachers. To ensure individuals retrieve the right records, the search function allows the last four digits of a teacher’s Social Security number to be used in a search query.
While the Social Security numbers were passed from a database to the web application for verification purposes, there appears to have been a misconfiguration that saw the numbers added to the HTML markup, thus making them visible to anyone who looked at the source code. According to the Post-Dispatch article, the full Social Security numbers of more than 100,000 individuals were visible in the source code.
The Missouri Office of Administration Information Technology Services Division said the web application had been scanned for vulnerabilities on multiple occasions, but no problems were identified.
Had the issue not been reported, those Social Security numbers would still be exposed online. “For DESE to deflect its failures by referring this as ‘hacking’ is unfounded. Thankfully, these failures were discovered,” said Joseph Martineau, legal counsel for the Post-Dispatch.