JEFFERSON CITY — Two weeks after the St. Louis Post-Dispatch identified an online security flaw on a state website, the state has hired a company to perform data breach and credit monitoring services.
Purchasing documents show Gov. Mike Parson’s administration hired Oregon-based Identity Theft Guard Solutions for the job on Oct. 29. The contract runs through February 2022.
The company, known as ID Experts, said it has managed thousands of data breach events since 2003.
“We consistently strive to handle data breach notification and response in such a way as to provide positive outcomes for our clients and the affected individuals,” the company said in a summary of its contract.
The flaw identified by the newspaper put the Social Security numbers of an estimated 100,000 educators across Missouri at risk of exposure.
It’s not clear whether the company will focus on that issue or another, but the pricing sheet included in the contract shows it would cost taxpayers about $4.5 million to notify the teachers of the potential breach and then provide them with credit monitoring services.
Among the company’s clients is the U.S. Office of Personnel Management, which suffered a hack potentially compromising the records of 21.5 million people.
The federal contract is worth a potential $416 million.
Following the initial report on the state’s vulnerabilities, Republican Gov. Mike Parson accused the newspaper of hacking the Department of Elementary and Secondary Education’s website in a “crime against Missouri teachers” and called for an investigation by the Cole County prosecutor and the Missouri Highway Patrol.
Parson’s declaration was met with derision from cybersecurity experts and earned national media attention.
The Post-Dispatch discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials.
The newspaper delayed publishing its report until the Department of Elementary and Secondary Education had removed the affected pages from its website and the state had time to examine other agencies’ web applications for similar vulnerabilities.
The significant security flaw on DESE’s website included Social Security numbers in the HTML source code of a web application that allows the public to look up teachers’ certification status. The information was not encrypted and did not require authentication by website users.
During his attack on the newspaper, Parson said the incident could cost $50 million. Neither he nor his spokeswoman, Kelli Jones, have explained how they arrived at that figure.
Days later, Parson's political action committee launched a video highlighting his attacks on the newspaper.
The 55-second video by the Uniting Missouri PAC praises Parson for standing up to the state's “fake news factory.” It also suggests the report was “digging around” in personal data about teachers.
Since then, Uniting Missouri has collected at least $85,000 in contributions, according to reports filed with the Missouri Ethics Commission. Among the contributors were Baker Implement Co. of Kennett and Martin Grain Co. of Bernie.
In an interview Sunday, Parson acknowledged he is “no computer expert.”
“I’ll be the first to admit that,” said the governor, who does not have a computer in his office.