A data breach that may have exposed the Social Security numbers of tens of thousands of teachers, administrators, and counselors across Missouri could end up costing the Show-Me State $50m.
The security incident was caused by a flaw in a search tool on a website maintained by the state’s Department of Elementary and Secondary Education.
A reporter at the St. Louis Post-Dispatch discovered the vulnerability. The newspaper said that while no private information was clearly visible or searchable, teachers' Social Security numbers were contained in the HTML source code of certain web pages.
After being notified of the data breach on October 12, the department removed the page that included the search tool.
Department spokeswoman Mallory McGowin said: “We have worked with our data team and the Office of Administration Information Technology Services Division to get that search tool pulled down immediately, so we can dig into the situation and learn more about what has happened."
The newspaper estimated that more than 100,000 Social Security numbers were made vulnerable by the flaw. However, the Missouri Commissioner's Office, in a statement released October 12, said that the personally identifiable information of only three Missouri educators was potentially compromised.
Shaji Khan, a cybersecurity professor at the University of Missouri–St. Louis, described the vulnerability as “a serious flaw” that the cybersecurity industry has known about “for at least 10–12 years, if not more.”
“The fact that this type of vulnerability is still present in the DESE web application is mind boggling!” wrote Khan in an email to the Post-Dispatch.
Speaking at a press conference held on October 14, Missouri Governor Mike Parson said that the journalist who discovered the flaw should face criminal hacking charges.
"Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them," said Parson.
News of how much money it might take to recover from the breach was announced by the governor's office. The $50m estimate includes the cost of credit monitoring for breach victims and the creation of a call center to handle related inquiries.