When Governor Mike Parson angrily demanded last week that the St. Louis Post-Dispatch be prosecuted for discovering security breaches at a state agency’s website, he said the newspaper’s actions could “Costing Missouri taxpayers up to $ 50 million.”
That amount, two House Budget Committee Democrats said Tuesday, is an estimate to provide credit monitoring to protect against misuse of personal data and a call center to answer questions from educators whose private data may have been exposed.
And, said State Representative Peter Merideth, the estimate is not very good.
“He pulled it straight out of his ass,” Merideth said in an interview with The Independent on Tuesday.
The Parson administration has so far refused to publicly justify the $ 50 million claim. Asked to do so on Tuesday, Parson spokeswoman Kelli Jones said she had “not had time to get down to it.”
Merideth, the rank Democrat on the committee, and Rep. Kevin Windham, D-Hillsdale, said in a statement that they had asked the impartial staff of the credits to find out what Parson, a Republican, intended to do. do with the money.
They were informed, Merideth said, that the governor’s statement was “a very rough and preliminary estimate,” the funds that would be tapped were not identified and the timeline for doing anything was not clear.
In the statement, Merideth and Windham said the Post-Dispatch is protecting the state by retaining history until the data issue is resolved.
If the person who found the data had the wrong intention, Windham said, the price could have gone up.
“I remain concerned about the potential costs to the state resulting from lawsuits and the like, but I am much more concerned about the 100,000 educators whose sensitive information has been treated with such negligence,” Windham said. “Our state is incredibly lucky that the person who found this vulnerability reported it to the state as soon as they did.”
The reason the estimate is questionable, Merideth said, is that it can replicate something the state has already been forced to do to protect educator data.
The state has purchased 24 months of credit monitoring for potential victims of a data security issue in the public school and education employee retirement system, the Post-Dispatch reported on Tuesday. The system notified its more than 128,000 active members and 100,000 beneficiaries of the 9/11 breach on the same day Parson attacked the history of teacher data.
Data for about 100,000 active educators were available on the website of the Department of Primary and Secondary Education.
“I doubt it costs $ 50 million per 100,000 people to have credit monitoring,” Merideth said.
In the story that enraged Parson, the Post-Dispatch reported on a website set up for the public to search for the credentials of individual educators exposed to Social Security numbers. The numbers were visible embedded in the code that tells the computer how to display a page, which can be viewed by pressing the F12 key on Apple and Microsoft operating systems.
The reporter looked at three social security numbers, the newspaper reported. The Post-Dispatch informed the ministry and refrained from publishing an article on the issue until data was no longer available.
In the statement Parson read to reporters without answering questions, he said the reporter who discovered the problem was a hacker and viewing the data was a crime. He said he referred the case to Cole County District Attorney Locke Thompson and that the Missouri State Highway Patrol would investigate.
“This incident alone could cost Missouri taxpayers up to $ 50 million and divert workers and resources from other state agencies,” Parson said. “This matter is serious business.”
By making the statement as he described the law enforcement response, Merideth said, Parson was suggesting the investigation would cost just as much.
“He was very clearly trying to suggest that this is what we have to spend to hold this guy accountable, or this is what we have to spend because of what this reporter did,” Merideth told The Independent. “The money is owed to exposure and the state’s failure to maintain data security.”
Parson defended his call for prosecution in a Facebook post the day after his public statement.
“This information was not available for free and was intentionally decoded,” Parson wrote. “By the actor’s own admission, the data had to go through eight separate steps in order to generate a (social security number).”
Jeanne Kuang of the Star contributed to this story.
This story was produced by the Missouri Independent, a non-partisan, nonprofit news organization covering state government, politics, and politics.