Missouri website that leaked SSN

Yes. America’s problem is that they use the SSN as a secret. Knowing it means you can impersonate someone.

Whereas in Sweden the “person number” is public information and identity is authenticated and authorized in other ways (by showing a driving license or using a “bank id” app etc).

In the nordics how much tax you pay (meaning for most people you can just divide by twelve to determine salary) is also public info. As is how much houses sell for etc.

I believe Offentlighetsprincipen is one of the main foundations of the success of Sweden as a democracy. It acts like a filter on corruption. Dumb politicians are regularly exposed early in their careers. Only really smart, subtly corrupt politicians make it to the top level of government.

Does that not lead to the potential sticky situations that my mind immediately jumps to?

Edit: I read through your link and did some light browsing of my own (later stonewalled by the fact that I don't speak any of the Scandinavian languages). I don't see anywhere that a citizen can re-assert their right to privacy but that would seem to be necessary in some cases (e.g. Twitch streamers wanting to remain incognito to avoid getting SWATted or otherwise frequently visited by police).

For an even clearer example. There's this list of the 25 most searched for people last year: https://www.ratsit.se/info/omtalade/mest-eftersokta-forra-ar... . I can recognize several celebrities there, most of them artists, and even our prime minister.

You can see addresses, if they own dogs, which cars they own, what salary they have (the site I linked needs payment for that, but there's other ways to get it for free), the companies they own or own a part of.

The issue is never general doxxing, it's targeted attacks.

This is the main reason PewDiePie (game streamer) moved out of Sweden.

In the United States SSNs are treated as secret. I shouldn't have t care if other people know my DOB or SSN, but I have to care because tons of companies and government offices use these as proof of ID.

If only there were legislation in place to subject those breaching this misinformation to legal recourse, so the current administration can enforce which problems exist in the public's eyes. Some real legal tools the government can use to enforce truths from falsehoods, wired right into the platforms that disseminate this kind misinformation. After all, elected representatives are known for their intellectual honesty and predictably virtuous behavior.

Most states allow you to lookup teacher licenses using last name and they have a “secure” version of the same site for employers and employees to update data. Most of the secure sites use a combination of last names, dob, and/or SSNs to authenticate teachers.

To be clear, it asks for last 4. This is not uncommon, with some sites asking for last name, birthday and last 4 of social to identify someone.

You know the guys who made the site were telling their bosses: We got hacked, but we're in control of the situation. They weren't saying, we screwed up and made private info public.

We've started to treat anything that even sounds like PII as if it were high level radioactive waste. We have a single unified model for our problem domain with special attributes on those properties which are PII-sensitive.

Any time our model is to be exposed to an unsecure context, it is reflected for these PII attributes and mapped into a special redacted variant of the same model.

For purposes of troubleshooting, the redacted model properties receive the sensitive data as a hash after it has been passed through salted SHA256. This allows for us to correlate sensitive things like SSNs between multiple log entries for the same work item, but unable to correlate across different work items.

About half the places I've worked, and all the place with more than a couple dozen employees, have had formal security levels on emails, data, and documents. It is common enough practice that plugins exist to set the levels in MS Office tools. These covers PII as well as confidentiality and simply "internal only" levels of content.

If you haven't worked in a large company in recent years, maybe you haven't seen it, but it feels fairly standard these days.

This is the search form. Pretty sure it's the results you would get after the search that has the full ssn in the html source. Still interesting in that it allows searching by the last 4 of the ssn.

And the source seems to indicate this is the "public ssn search", and that a "search by full ssn" probably also exists.

E.g.:

   let SSNSearch = document.querySelector("#pnlSSNSearchHeader");
   let SSNPublicSearch = document.querySelector("#pnlSSNPublicSearchContent");

Thats just ViewState (throw it in http://viewstatedecoder.azurewebsites.net/ if curious) of the schools array. Nothing special on the page. I suspect whats suspect is the lookup portion on the server side.

That nasty blob on line 1188 is an obfuscated fingerprinter called "Incapsula".

Please don't select "Inspect Element" or "View source". You're committing a crime.

It does do a POST when you select a district, but not as ajax/xhr. It just tries to load a new page. It posts these form values:

  cpeSearchOne_ClientState: false
  ctlYearList$ddlYear: 2022
  cpnlDistrict_ClientState: false
  ddlDistrict: 096098
  cpnlEducator_ClientState: 
  cpnlSSN_ClientState: 
  cpnlSSNPublic_ClientState: true
  txtLastNamePublic: 
  txtSSNPublic: 

I suspect the real problem is with the page that would be rendered as the results if it weren't currently shut off.

This seems to be a front page without the database it requires to do its work. Which is sort of what one would expect to be on archive.org...

Is there anyone technically competent enough to make use of this who wouldn't easily be able to have located it themselves?

I looked. There is no PII on the linked archive page.

While not immediately visible, all the names and SSNs are in embedded javascript so if you inspect the source they're all there.

I presume this is a poorly executed attempt to be fast and responsive by "pre-loading" all of the data required and then using the search box as a filter on the client.

Edit: My mistake - I misinterpreted wrong IDs, these are not immediately here.

I think it is possible that there was SSN data poorly encoded into the source of the page or one of the scripts

From the original Post-Dispatch article: "Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved."

Did you decode the encrypted HTML?! I think I saw that on Mr. Robot once.

Why would there, you haven't searched for anything. Even ASP.NET isn't terrible enough to send over the entire freaking database when just loading the form.

And some others will look at the incompetence of 1 person/team and use it as a reason to takedown the whole government...