The state Department of Elementary and Secondary Education was hacked and the Social Security numbers of three Missouri educators were potentially compromised, the department noticed Tuesday.
Personally identifiable information, including the Social Security numbers, for three Missouri educators was accessed through the state's educator certification data on DESE's website Oct. 12.
The hacker took the records of at least three educators, decoded the HTML source code and accessed Social Security numbers.
Upon verification, DESE notified Missouri's Office of Administration Information Technology Services Division — the department responsible for creating and maintaining the website application that was compromised.
OA-ITSD disabled the educator certification search tool by removing public access and updated the code to repair its vulnerability.
"OA-ITSD takes the security of citizen data very seriously. We utilize multiple tools from multiple vendors to scan for vulnerabilities on a continuous basis, as well as code reviews utilizing secure coding practices," said Jeff Wann, Missouri's Chief Information Officer. "As new threats continually arise, ITSD acts quickly to address those threats. Upon learning of this vulnerability, ITSD removed public access from the system and updated the code to remediate the vulnerability immediately. All similarly situated public-facing systems were evaluated for this vulnerability and no other instances were found. Modernizing the State's systems is a high priority to assure ever changing security threats are addressed."
The compromised data is linked to a DESE tool from 2011 that local education agencies can use to verify the certificates held by educators.
Local education agencies can use the last four digits of an educator's Social Security number as a piece of unique information when searching to verify certifications.
The educators' records were accessed on an individual basis as there isn't an option to decode Social Security numbers for all educators at once.
According to an OA press release, the state is currently unaware of any misuse of the individuals' information.
OA-ITSD is continuing to investigate the incident to ensure there aren't additional issues within DESE's data or data collected by other state agencies.
It has performed testing of all public facing web applications across all state agencies and has not identified any additional vulnerabilities in the last 24 hours.
Additionally, third-party penetration testers have been requested to look into this vulnerability among all state government websites.
OA-ITSD has conducted previous vulnerability scans of DESE's educator certification search tool, none of which identified concerns or potential threats.
DESE and OA-ITSD will continue to assess the situation and determine next steps. Updates will be posted to dese.mo.gov/data-incident.