According to an Oct. 15 notification from the Public School and Education Employee Retirement Systems of Missouri, the incident occurred on Sept. 11 when an employee of the system's email account was accessed by an unauthorized individual.
"The impacted email account was quickly disabled. The unauthorized individual did not gain access to PSRS/PEERS' internal operating system," the notification said.
The pension program, which serves over 128,000 active members and 100,000 retirees and their beneficiaries, is in the process of identifying affected individuals, properly notifying those individuals and reviewing security protocols to prevent incidents of this type in the future.
"The security of our members' information is the highest priority for us," said PSRS/PEERS Executive Director Dearld Snider. "We deeply regret this incident and any inconvenience it may cause our members."
Further details were not immediately available.
The notification was issued on the same day Gov. Mike Parson lashed out at the Post-Dispatch after the newspaper reported a separate, unrelated data flaw at the state's Department of Elementary and Secondary Education.
In that incident, the newspaper found that Social Security numbers of school teachers, administrators and counselors across Missouri were vulnerable to public exposure due to programming shortcomings on DESE's website.
The vulnerability was discovered in a web application that allowed the public to search teacher certifications and credentials. The department removed the affected pages from its website Tuesday after being notified of the problem by the Post-Dispatch.
Rather than thank the newspaper for discovering the vulnerability and giving the state the opportunity to fix the flaw, Parson called the newspaper's work "hacking" and called for a criminal investigation and a possible civil lawsuit.
In the pension incident, letters were mailed on Thursday, Oct. 14, to individuals who may have been affected. Included in the letter are details and activation codes for free 24-month membership in a credit monitoring service.
"We encourage anyone who receives a letter to take advantage of this free service," the pension system said.
PSRS/PEERS also has a dedicated telephone number with individuals trained to address questions about the incident. The phone number is 888-391-6964.
It is unclear whether DESE has made credit monitoring available to the more than 100,000 teachers affected by the security flaw.
DESE spokeswoman Mallory McGowin last week pointed members of the media to a press release and Parson's press conference when asked if it would be offered. Neither of those specifically mentioned free credit monitoring as a possibility.
"That is the extent of the comment I can provide for now due to the ongoing investigation," McGowin said.
In a letter sent Friday, Sen. Doug Beck, D-Affton, called on Missouri Commissioner of Education Margie Vandeven to notify him of what steps the department is taking to protect teachers from identity theft.
"When similar breaches occur in the private sector, the Federal Trade Commission recommends 'offering at least a year of free credit monitoring or other support ... particularly if financial information or Social Security numbers were exposed,'" he wrote.
Meanwhile, Auditor Nicole Galloway on Monday issued a report summarizing the most common cybersecurity risks found by her audits of local governments and courts.
"When security controls are inadequate — or even non-existent — electronic data can be put at great risk," Galloway said. "Local governments, courts and school districts face the same cybersecurity challenges as businesses, except that it's taxpayer resources that are put in danger of being lost, misused or stolen. There are proactive measures public agencies can take, and my office has provided several recommendations for better protection."
Among common issues found by the audits were access problems, in which former employees did not have their access to public systems removed promptly.
She also found system administrators were not requiring users to change their passwords periodically or were sharing passwords.
Other issues include security controls, backup and recovery issues and data management.
©2021 the St. Louis Post-Dispatch. Distributed by Tribune Content Agency, LLC.
