EducationNewsPoliticsThe NorthSider

Flaw that exposed teacher data existed since 2011, report says 

Prosecutor won't file charges despite Parson's accusation of hacking

ST. LOUIS (AP) — A flaw in a state database that allowed public access to thousands of teachers’ Social Security numbers had been in place for a decade before a St. Louis Post-Dispatch reporter exposed it, according to a report released Monday.

Gov. Mike Parson, a Republican, condemned reporter Josh Renaud last fall for writing about the weakness, even though the paper refrained doing so until after the state could fix it. Parson also said the Missouri State Highway Patrol would conduct an investigation, which culminated in the 158-page report that was released Monday.

Missouri Department of Elementary and Secondary Education spokeswoman Mallory McGowin told the patrol that Renaud hadn’t accessed “anything that was not publicly available, nor was he in a place he should not have been.”

According to the report, McGowin also told investigators with the patrol that a vulnerability that left 576,000 teacher Social Security numbers exposed “would have been there since 2011, when the application was implemented.”

Renaud told investigators that he discovered the security flaw by accident while he was collecting publicly available data for a potential story on teacher accreditation. 

He was trying to build a data set so the Post-Dispatch could run analysis on it and look for trends that could lead to a story, Renaud told investigators. He needed to look at the source code to figure out the best way to collect the information, and in doing so he found what he thought was a social security number for an educator. 

“He stated he located a parameter that was labeled ‘Educator SSN’ and a nine-digit number below it, which at face value appeared to be a social security number,” the summary of the interview says. “He stated he was shocked because he was not looking for it and did not expect to find that information.”

To make sure what he found were indeed social security numbers, Renaud said he ran the information by teachers he knew. He also checked with Khan, who told investigators the problem discovered by Renaud had been a continual issue for the past 10 to 12 years.

Pam Keep, client service manager for the state’s Information Technology Services Division, told investigators that the data Renaud found was encoded “but should have been encrypted.”

None of the data was encrypted and no passwords were required to access the data from the public website.

Keep also said the site in question was “about 10 years old, and the fact the data was only encoded and not encrypted had never been noticed before.”

During his interview with investigators, Khan compared the situation to a that of person who “walks into a room and shouts their social security number in Chinese.”

“And if anyone in the room understands what they said,” a summary of the interview said, “they are charging that person with unauthorized access.”

The Post-Dispatch previously obtained records through an open records request showing that the state education commissioner initially planned to thank the newspaper for finding the problem. But the state instead issued a news release calling the reporter a “hacker.”

McGowin said the database — like other state computer services — is actually overseen by Parson’s Office of Administration, which the governor controls.

The highway patrol said it spent about 175 hours on the investigation. Three officers assisted in the probe. No cost estimate was provided.

The report’s release came more than a week after Cole County Prosecuting Attorney Locke Thompson announced he would not be charging Renaud in connection with the investigation.

The investigators also talked with cybersecurity expert Shaji Khan, who had verified for the Post-Dispatch that the flaw existed.

Khan, who teaches at the University of Missouri-St. Louis, said he was alarmed by the information he’d received about the vulnerability.

“He [Khan] stated by the time he was done looking, he realized how bad the situation was and indicated the state needed to be notified immediately,” the report notes.

Khan’s attorney, Elad Gross, said last week that Thompson would not be charging Khan either.

“Governor Mike Parson had no basis to instigate a criminal investigation into reporter Josh Renaud or cybersecurity expert Dr. Shaji Khan,” Gross said in a statement. “These Missourians responsibly reported a security flaw on a public website that transmitted teachers’ social security numbers to every website visitor. They did the right thing.”

The Missouri Independent contributed to this report.

Related Articles

Leave a Comment

Back to top button
%d bloggers like this: