Missouri apologizes to 600k teachers who had SSNs and private info exposed

Missouri's Department of Elementary and Secondary Education is offering 620,000 former and current teachers 12 months of credit and identity theft monitoring resources through IDX.

Missouri's Department of Elementary and Secondary Education (DESE) has apologized to the 620,000 past and present educators who had their sensitive information -- including their social security numbers -- exposed on the DESE certification database.

Missouri's Office of Administration Information Technology Services Division (OA-ITSD) and the DESE will send out letters to those affected notifying them that their personally identifiable information "may have been compromised during a recent data vulnerability incident."

The situation caused national headlines last month because the governor of the state used the incident to attack The St. Louis Post-Dispatch. Josh Renaud, a reporter from the newspaper, discovered a vulnerability in the certification database that exposed teacher data, notified the DESE, and gave them time to fix it before publishing his story

But Missouri Governor Mike Parson claimed Renaud had "hacked" the database himself and threatened legal charges against the reporter. Since being ridiculed by cybersecurity professionals -- and even members of his own party -- Parson has used the incident to fundraise for himself, bringing in about $85,000 thanks to an ominous video doubling down on the hacking accusations, according to the Post-Dispatch. 

But DESE officials, alongside members of OA-ITSD, apologized this week to the teachers who had their data exposed and offered 12 months of credit and identity theft monitoring resources through IDX. 

"Educators have enough on their plates right now, and I want to apologize to them for this incident and the additional inconvenience it may cause them," said Commissioner of Education Margie Vandeven. 

"It is unacceptable. The security of the data we collect is of the utmost importance to our agency. Rest assured that we are working closely with OA-ITSD to resolve this situation."

The state claims it is "unaware of any misuse of individual information or if information was accessed inappropriately outside of an isolated incident." But officials said that "out of an abundance of caution," they wanted to provide teachers with some protection. 

Those who may have been affected by the issue can contact the IDX Call Center at 833-325-1777.

DESE explained that Renaud said he was able to view the social security numbers of certain teachers "through a multi-step process" that involved accessing the certification records of at least three educators and then taking the encoded source data from that webpage and "decoding that data."

"Educators' PII was only accessible on an individual basis within this search tool, and there was no option to decode SSNs for all educators in the system all at once. Upon verification of the threat, DESE immediately notified OA-ITSD who immediately disabled the educator certification search tool," the state said. 

"The services offered through IDX will cost the state approximately $800,000. The state was able to take advantage of an existing multi-state contract with this vendor, which significantly lowered the cost for the credit and identity theft monitoring services."

Parson originally claimed during a press conference that the incident would cost the state $50 million as opposed to the $800,000 that is now being spent. Despite the ridicule Parson got from cybersecurity experts, the Missouri Highway Patrol-led investigation into the incident is still ongoing.