Missouri Governor's Office Responsible For Teacher Data Leak
An anonymous reader quotes a report from Krebs on Security: Missouri Governor Mike Parson made headlines last year when he vowed to criminally prosecute a journalist for reporting a security flaw in a state website that exposed personal information of more than 100,000 teachers. But Missouri prosecutors now say they will not pursue charges following revelations that the data had been exposed since 2011 -- two years after responsibility for securing the state's IT systems was centralized within Parson's own Office of Administration. [...] On Monday, Feb. 21, The Post-Dispatch published the 158-page report (PDF), which concluded after 175 hours of investigation that [St. Louis Post-Dispatch reporter Josh Renaud] did nothing wrong and only accessed information that was publicly available. Emails later obtained by the Post-Dispatch showed that the FBI told state cybersecurity officials that there was "not an actual network intrusion" and the state database was "misconfigured." The emails also revealed the proposed message when education department leaders initially prepared to respond in October: "We are grateful to the member of the media who brought this to the state's attention," was the proposed quote attributed to the state's education commissioner before Parson began shooting the messenger. The Missouri Highway Patrol report includes an interview with Mallory McGowin, the chief communications officer for the state's Department of Elementary and Secondary Education (DESE). McGowin told police the website weakness actually exposed 576,000 teacher Social Security numbers, and the data would have been publicly exposed for a decade. McGowin also said the DESE's website was developed and maintained by the Office of Administration's Information Technology Services Division (ITSD) -- which the governor's office controls directly. "I asked Mrs. McGowin if I was correct in saying the website was for DESE but it was maintained by ITSD, and she indicated that was correct," the Highway Patrol investigator wrote. "I asked her if the ITSD was within the Office of Administration, or if DESE had their on-information technology section, and she indicated it was within the Office of Administration. She stated in 2009, policy was changed to move all information technology services to the Office of Administration." The report was a vindication for Renaud and for University of Missouri-St. Louis professor Shaji Khan, who helped the Post-Dispatch verify that the security flaw existed. Khan was also a target of Parson's vow to prosecute "the hackers." Khan's attorney Elad Gross told the publication his client was not being charged, and that "state officials committed all of the wrongdoing here." "They failed to follow basic security procedures for years, failed to protect teachers' Social Security numbers, and failed to take responsibility, instead choosing to instigate a baseless investigation into two Missourians who did the right thing and reported the problem," Gross told The Post-Dispatch. "We thank the Missouri State Highway Patrol and the Cole County Prosecutor's Office for their diligent work on a case that never should have been sent to them."
Read more of this story at Slashdot.