The governor of Missouri, Mike Parson, has accused a visitor to the state's department of elementary and secondary education (DESE) website of hacking and gaining access to teachers' United States social security numbers.
Parson said an unnamed individual had been reported to Cole County prosecution and the state Highway Patrol Digital Forensic Unit, for allegedly "decoding the HTML source code" of the site to view the socal security numbers (SSNs).
Hyper text markup language is used by web browsers to format text and to present objects for visitors to view on pages.
Most web browsers will let you view the HTML source code used to assemble pages through a specific key combination.
Parson railed against the "HTML source code" viewing on Twitter, where other users cast doubt that such an action could be construed as hacking.
One Twitter user also pointed out that Parson's own gubernatorial site running the Drupal 8 open source content management system had been set to debugging mode, which appears to be exposing sensitive data in turn.
Hey dude, I just took a multi-step process to decode the HTML source of your own website to see that it runs in debug mode and exposes paths to twig templates. pic.twitter.com/iuW2c10iQ1— Comfortably Numb (@YGalanter) October 14, 2021
The Missouri governor doubled down on his allegations, however, and insisted that the unnamed individual had accessed, converted and decoded the HTML source code.
We want to be clear, this DESE hack was more than a simple “right click.”— Governor Mike Parson (@GovParsonMO) October 14, 2021
THE FACTS: An individual accessed source code and then went a step further to convert and decode that data in order to obtain Missouri teachers’ personal information. (1/3) pic.twitter.com/JKgtIpcibM
As of writing, it remains unclear if Missouri law enforcement will investigate the HTML source code viewing incident and take action against the person or people behind it.
After news of the data breach broke, the St Louis Post-Dispatch reported that over 100,000 SSNs may have been vulnerable in the incident.
Adding a twist to the story, the newspaper said one of its reporters had discovered the vulnerability, and confirmed that the nine-digit numbers the site displayed were indeed SSNs, belonging to three teachers.
While full details of the flaw are yet to be published, it appears anyone could search the DESE site and discover teachers' SSNs, which could then potentially be used for identity fraud.