Missouri’s Republican Governor Mike Parson is facing backlash from lawmakers in both political parties and the media after he announced on Thursday that he intends to seek criminal prosecution against a journalist who informed his office of a security flaw in a state-run website.
On Tuesday, correspondent Josh Renaud of the St. Louis Post-Dispatch discovered that the Social Security numbers of teachers were accessible to the public on the state’s Department of Elementary and Secondary Education portal:
The Post-Dispatch discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials. The department removed the affected pages from its website Tuesday after being notified of the problem by the Post-Dispatch.
Based on state pay records and other data, more than 100,000 Social Security numbers were vulnerable.
The paper held off on running the story until the error could be corrected. But that action came too late for a handful of victims.
The state’s Office of Administration Information Technology Services Division discovered on Wednesday that a “hacker took the records of at least three educators, decoded the HTML source code, and viewed the Social Security number of those specific educators,” the Missouri Independent has reported, noting that “the state is unaware of any misuse of individual information or even whether information was accessed inappropriately outside of this isolated incident.”
In fact, the flaw had been a known issue “for at least 10-12 years, if not more. The fact that this type of vulnerability is still present in the DESE web application is mind-boggling!” Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis, told the Post-Dispatch in an email.
“Unfortunately, these types of flaws and poor design choices are more common than we’d like,” Khan wrote. “Local and state governments across the country are often still using applications developed many years ago and potentially containing serious security flaws.”
On Thursday, however, Parson decided that Renaud should be charged as the aforementioned hacker and referred the matter to the Cole County Prosecutor’s office and the Missouri State Highway Patrol for further investigation.
“The state does not take this matter lightly,” Parson said at an impromptu press briefing after which he took no questions from reporters. “This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians.”
Parson accused Renaud of playing a “political game by what is supposed to be one of Missouri’s news outlets” and stated that “the state is committed to bring to justice anyone who hacked our system and anyone who aided and abetted them to do so.” He added that Parson was “attempting to embarrass the state and sell headlines for their news outlet.”
Parson’s fallacious and defamatory allegations were panned by Republicans, Democrats, and lawyers representing the Post-Dispatch.
“It’s clear the Governor’s office has a fundamental misunderstanding of both web technology and industry-standard procedures for reporting security vulnerabilities. Journalists responsibly sounding an alarm on data privacy is not criminal hacking,” Republican State Representative Tony Lovasco tweeted on Thursday morning.
It’s clear the Governor’s office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities.
— Rep. Tony Lovasco (MO-64) (@tonylovasco) October 14, 2021
“The governor should direct his anger towards the failure of state government to keep its technology secure and up to date and to work to fix the problem, not threaten journalists with prosecution for uncovering those failures,” Democratic State House Minority Leader Crystal Quade of Springfield said.
Renaud “did the responsible thing by reporting his findings to (the Department of Elementary and Secondary Education) so that the state could act to prevent disclosure and misuse,” an attorney for the Post-Dispatch said in a statement. “A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”