Data Vulnerability Incident - October 2021
November 10, 2021
State of Missouri Offers Credit and Identity Theft Monitoring to Educators after Data Vulnerability Incident
The Department of Elementary and Secondary Education (DESE), in conjunction with Missouri's Office of Administration Information Technology Services Division (OA-ITSD), will begin to send letters in the coming days to certificated educators across the state whose personally identifiable information (PII) may have been compromised during a recent data vulnerability incident. The state is unaware of any misuse of individual information or if information was accessed inappropriately outside of an isolated incident. However, out of an abundance of caution and in the unlikely event that this information was inappropriately accessed outside this single incident, the State of Missouri is offering 12 months of credit and identity theft monitoring resources through IDX to the approximately 620,000 past and present certificated educators whose PII was contained in the DESE certification database. Potentially impacted educators will receive direct communication by mail and/or email with more details about the services offered through IDX. Educators may contact the IDX Call Center at 833-325-1777 from 8:00 a.m. – 8:00 p.m. (CT) Monday through Friday to determine if they are among those eligible for these services.
Frequently Asked Questions
- I received a letter regarding the data vulnerability incident, but the return address was from Sacramento, California. Is this letter legitimate?
-
Yes. DESE has contracted with IDX, a third party vendor located in Sacramento, California, to send letters to Missouri educators whose personally identifiable information may have been compromised during the recent data vulnerability incident.
- What happened?
-
On October 12, 2021, DESE was made aware that the personally identifiable information (PII) of Missouri educators, which was located within the educator certification data available on DESE’s website, was potentially compromised. An individual told DESE that they, through a multi-step process, accessed the certification records of at least three educators, took the encoded source data from that webpage, decoded that data, and then viewed the social security number (SSN) of those specific educators.
- What personal information was vulnerable?
-
DESE was told by the individual that they accessed at least three individual educators’ SSNs. DESE was not told the identities of those individuals and is not aware of any other educators’ PII being accessed outside this isolated incident.
However, out of an abundance of caution and to protect our educators’ information, DESE is notifying all individuals included in the educator certification database available on DESE’s website. The database contains SSNs for all certificated educators; this includes anyone who holds any kind of teaching certificate, including substitute teachers and school administrators. There is also a relatively small number of non-certificated individuals who had information in the database because their information was uploaded into DESE’s Core Data system by their local education agency.
School districts are required to verify the certificates held by an educator, and DESE’s certification search tool is one tool school districts can use to verify that information. In the process of verifying an educator’s information, the last four digits of an educator’s SSN can be used in the certification search tool as a piece of unique information to identify the appropriate educator. If educators have the same name, for example, school districts can use the last four digits of the educator’s SSN to be sure the school district is viewing the correct information for the appropriate educator.
- Have the police/local authorities been notified? If so, with which police department and what is the case number?
-
The Missouri State Highway Patrol is investigating the incident.
- What is Missouri Department of Elementary and Secondary Education doing to prevent this kind of loss from happening again?
-
Upon verification of the threat, DESE immediately notified Missouri's Office of Administration Information Technology Services Division (OA-ITSD), and the educator certification search tool was disabled immediately by OA-ITSD.
OA-ITSD removed public access from the system and is currently working to update the tool’s code and functionality to reinforce security measures and prevent future unauthorized access. All similarly situated public facing systems were evaluated for this vulnerability – both at DESE and other state agencies – and no other instances were found by OA-ITSD and third party vendors working to stress test those applications.
- What is the deadline for registering for the pre-paid package of identity protection services?
-
February 14, 2022
- Has the information been misused?
-
These records were only accessible on an individual basis, and there was no option to decode SSNs for all educators in the system all at once. The state is unaware of any misuse of individual information or even whether information was accessed inappropriately outside of this isolated incident.
- Who should I contact if I have questions?
-
You can call the IDX call center at 833-325-1777 if you have questions, or for information on the membership services that are being provided.
- I did not receive a letter stating that my information was compromised, but feel that I should have. Can you help me?
-
The review of the data was extensive, and all individuals who had current contact information in DESE’s system were notified about this isolated incident, out of an abundance of caution, via email and mailed letters that went out between November 12, 2021 and November 15, 2021. There were some potentially impacted individuals who did not have current contact information in DESE’s system. Educators may contact the IDX call center at 833-325-1777 to confirm if they are among the potentially impacted individuals.
- What are the risks of identity theft with the information that was exposed?
-
Receiving a letter does not mean that you are a victim of identity theft. We are recommending that people review their letter and the recommendations provided. At this time, there is no reason to believe that your information is at risk, as a result of this incident.
- Is there anything I need to do to in response to the potential exposure of my personal information?
-
Once you are enrolled in the IDX identity protection membership, you may also take advantage of your rights to the free fraud alert services offered by the three major credit bureaus. Placing fraud alerts will provide your credit with additional protection. In addition, doing so will give you access to copies of each of your credit reports at no cost to you.
- How do I know if I’m one of the three individuals whose information was accessed?
-
If the state is able to determine who those three educators are, they will be contacted directly.
- When will the investigation be completed?
-
The investigation is ongoing and the state is not able to currently communicate a definitive timeline.
- How can I update my contact information with DESE?
-
Educators may log into their profile page in the Educator Certification System and update their contact information (address, phone, email) at any time. This profile page is part of the educator’s certification record.
If you don’t know how to update this information within DESE’s Web Applications, you can view directions here: https://dese.mo.gov/educator-quality/certification. The Educator Certification Help Guide also provides specific instructions: https://dese.mo.gov/educator-quality/certification/educator-certificati…;
You can email webappsloginassistance@dese.mo.gov or call 573-522-3207 if you need assistance logging into DESE Web Applications.
- Does this situation have anything to do with the Public School Retirement System (PSRS) / Public Education Employee Retirement System (PEERS) data breach incident?
-
No. This situation is not connected to other recent data security incidents involving educators’ PII.
October 13, 2021 - Original Information Shared
View the press release from the Office of Administration about this data vulnerability incident.
View the letter here from Commissioner of Education Margie Vandeven to Missouri certificated educators regarding this incident, or view the contents of the letter below:
On October 12, 2021, the Department of Elementary and Secondary Education (DESE) was made aware that the personally identifiable information (PII) of a few Missouri educators, which was located within the educator certification data available on DESE’s website, was potentially compromised. Through a multi-step process, an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.
Upon verification of the threat, DESE immediately notified Missouri's Office of Administration Information Technology Services Division (OA-ITSD), and the educator certification search tool was disabled immediately by OA-ITSD. These records were only accessible on an individual basis, and there was no option to decode SSNs for all educators in the system all at once. The state is unaware of any misuse of individual information or even whether information was accessed inappropriately outside of this isolated incident.
The situation is in the early stages of investigation. We are providing notice to you so that you may be aware of what occurred. The state will make a formal announcement detailing this incident later today.
For those educators determined to be impacted by this vulnerability, the state will make every effort to contact you directly as soon as possible to share information about the next steps. In the meantime, please remain vigilant by reviewing account statements and monitoring free credit reports, like those available at AnnualCreditReport.com.