Missouri State Education Commissioner Margie Vandeven inadvertently identified the precise problem when responding to a journalist’s question about why she pinned the blame on a Post-Dispatch reporter for a serious security issue on a Missouri education agency website, even though the reporter merely discovered the flaw and alerted her agency to its existence.
“I would ask you to do your research on — on where and who is responsible for those data security issues before you make that accusation,” Vandeven said.
It was an odd response, because the question contained no accusation. It was just a question.
The only accusation out there is one first leveled by Vandeven and later amplified by Gov. Mike Parson after the Post-Dispatch’s Josh Renaud stumbled across teachers’ Social Security numbers embedded in a Department of Elementary and Secondary Education website.
He was searching for teacher certification data at the time and alerted state authorities so they could remove the sensitive data before the Post-Dispatch published a story about what was clearly a major security breach on the state’s part.
The state Office of Administration issued a statement accusing Renaud of being a “hacker.” Vandeven leveled her own accusation that “an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.” The next day, Parson echoed Vandeven’s accusations and threatened criminal prosecution.
One thing neither Parson nor Vandeven has done so far is own up to the fact that someone in authority attached teachers’ Social Security numbers to a state website. The person who alerted them to the problem is now irrationally the target of their ire, threats and accusations.
Which brings us back to Vandeven’s strange response. Yes, absolutely, the administration should do its research. Find out where the problem is and who is responsible for those data security issues. And, by all means, do all this before making that accusation.
What’s clear so far from the state response is that officials lashed out at the easy target — Renaud — instead of researching and getting answers to the most fundamental questions: How did this data get online? And who in the state government thought it was OK to include Social Security numbers in source code on a publicly accessible website?
Had Vandeven followed her own advice, she and Parson would not be the object of ridicule for their obvious failure to understand the basics of website construction. They have made themselves look silly and embarrassed Missouri on the national stage.
In addition to heeding Vandeven’s advice, perhaps the administration should consider the words articulated on the pages of The Washington Post almost exactly 110 years ago when a politician found himself in a fix of his own making: “Nor would a wise man, seeing that he was in a hole, go to work and blindly dig it deeper.”