Published: January 17, 2022 on our newsletter Security Fraud News & Alerts Newsletter.
If you’ve ever wondered if a website data flaw, suing a reporter from the St. Louis Post-Dispatch, and the Missouri State Governor would ever cross paths, this is for you. It started when the “Show Me” state showed way too much on their Department of Elementary and Secondary Education (DESE) website. The Social Security numbers of over 100,000 DESE employees were exposed in the website’s public-facing source code.
A St. Louis Post-Dispatch reporter noticed the source code on the DESE website and was shocked to find the Social Security numbers were displayed. In the wrong hands, it was a massive data breach waiting to happen. The firestorm that followed when Governor Mike Parson brought politics and prosecution of the reporter into the mix is the stuff of nightmares for do-gooders everywhere.
The St. Louis Post-Dispatch reported the findings to the DESE only, allowing them the time they needed to remove the data before reporting the story publicly. The Post-Dispatch decided the privacy of the DESE employee’s data was more important than posting their exclusive, big news story.
The Cost Of A Data Breach In The U.S.
Data breaches are happening at break-neck speeds these days, tragically with many of them avoidable to begin with. IBM’s Cost of a Data Breach 2021 finds the average data breach spiked to $4.24 million, up from last year’s $3.86 million. IBM says it’s the highest rate in the entire 17 years of their report.
Parson announced the flaw “may cost Missouri taxpayers as much as $50 million and divert workers and resources from other state agencies.” His estimate includes fixing the DESE website issue as well as identity protection services for its employees. When Parson claimed the Post-Dispatch reporter “hacked” the website and threatened him with criminal prosecution, alarm bells began to ring within the cybersecurity profession.
The long outdated DESE code flaws, according to Stickley on Security President Jim Stickley, is something “That even in the 1990’s, people would make fun of.” Governor Parson’s bizarre reaction to the unwelcome news, including his threats to the reporter, is a nonsensical approach to cybersecurity. Keeping his state’s websites updated makes much more sense.
Commenting on this entire event, Jim Stickley feels “This is probably the scariest cyber-risk that I’ve ever seen in my life. Even if you report that you’ve discovered a vulnerability, even if it’s something benign…and now you’ll get prosecuted for it? If this governor can sue and prosecute this reporter by turning it into a political thing, it’s going to turn the entire cybersecurity industry on its head.”
What should happen, is that the organization fix the issue, right away. That’s the technical solution. A more diplomatic solution would perhaps be to apologize for the error and give those whose information was exposed credit monitoring services at a minimum. Threatening to sue those who are trying to protect the public is just likely to cause others in the same position as the reporter to keep it secret until it does damage…potentially significant.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org