The Public School and Education Employee Retirement Systems of Missouri has notified 349,246 employees and retirees of a security incident that occurred on September 11.
According to their notification letter, an employee’s email account was accessed by an unauthorized individual for less than one hour on that date before IT disabled the account after being alerted to the problem.
The email account contained names, PSRS/PEERS account numbers, and for some, date of birth.
The notification letter, a copy of which was submitted to the Maine Attorney General’s Office, is embedded below.
This incident is separate from another incident in which a St. Louis Post-Dispatch reporter found a vulnerability in a state agency web site that allowed people to view teachers’ SSN. The paper notified the state agency, only to have Governor Parson declare the reporter a hacker and claim that the state has referred the matter for criminal prosecution. That the governor does not seem to appreciate the shortsightedness of his incident response predicts some troubling times ahead for the state when other vulnerabilities are discovered.
In any event, the email account compromise incident does appear to be an external hack, and maybe, just maybe, the state should be looking at itself to see why basic security hygiene and protocols have not been in place or deployed properly. Apart from the issue of whether SSN had been encoded in the other system, did the employee’s email account have MFA on it? If not, why not? How did the threat actor gain access to that account?
MultiState Letter Examples