The Public School and Education Employee Retirement Systems (PSRS/PEERS) of Missouri were hit by a data breach in September, according to a notification sent to employees and beneficiaries last week.
The notice said there was a “data security incident” on Sept. 11, and that “as a result, your personal information may have been potentially exposed to an unauthorized individual.”
The hack occurred when an employee’s email account was accessed for less than an hour by someone from outside the retirement system without authorization. The pension fund said its information technology (IT) team disabled the employee’s email account within minutes of being told of the breach and that it alerted law enforcement authorities and took immediate steps to enhance security protocols to prevent a repeat of the incident.
“The accessed email account contained files with personal information relating to you, including your name, and internal PSRS/PEERS account numbers associated with you,” said the notice letter. “It may have also included your birth date.”
The letter emphasized that employees’ Social Security numbers were not included in the potentially exposed data. PSRS/PEERS has more than 128,000 active members along with more than 100,000 retirees and beneficiaries.
The letter to the retirement systems’ members was sent out the same day that the St. Louis Post-Dispatch reported it had discovered a vulnerability on a website maintained by the state’s Department of Elementary and Secondary Education (DESE) that allows the public to search teacher certifications and credentials. The report said that based on state pay records and other data, more than 100,000 Social Security numbers were vulnerable.
The newspaper said it found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved, and cybersecurity expert Shaji Khan, a professor at the University of Missouri-St. Louis, called the vulnerability “a serious flaw.” The Post-Dispatch said it immediately informed the DESE after discovering the vulnerability and delayed publishing the story to give the state time to fix the problem.
The report angered Missouri Gov. Mike Parson, who accused the newspaper of illegally hacking the retirement systems’ website. He said at a news conference that a prosecutor and the Missouri State Highway Patrol would investigate the matter, and that the Post-Dispatch would be held accountable.
“We are coordinating state resources to respond and utilize all legal methods available,” Parson said. “My administration has notified the Cole County prosecutor of this matter. The Missouri State Highway Patrol’s digital forensic unit will also be conducting an investigation of all of those involved.”
In a tweet, Parson said the reporter “accessed source code and then went a step further to convert and decode that data in order to obtain Missouri teachers’ personal information.”
Post-Dispatch Publisher Ian Caso said the newspaper stands by its reporter “who did everything right,” adding that “it’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to DESE’s attention.”