The governor of Missouri on Thursday vowed to prosecute staffers with the St. Louis Post-Dispatch for discovering a “vulnerability” in a state computer database that left the social security numbers of more than 100,000 “teachers, administrators and counselors” exposed to the public.
“The Post-Dispatch discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials,” the newspaper reported in the now-controversial piece. “The department removed the affected pages from its website Tuesday after being notified of the problem by the Post-Dispatch.”
The original story contains the byline of Josh Renaud who is listed as a “developer” for the newspaper. It is unclear if he is the “reporter” referenced within the article who uncovered the flaw or who did the investigative work which led to the story’s publication.
In a lengthy tweetstorm spread across several separate threads on Thursday, Missouri Gov. Mike Parson (R) called whoever was responsible for the report a “hacker” who was “targeting Missouri teachers.” Parson said state government needed to “clearly understand the intentions” of whoever was involved with the newspaper’s report and that he had ordered the Missouri Highway Patrol and a county prosecutor to “bring to justice . . . anyone who aided or encouraged” the publication. A few of the governor’s many tweets are embedded below:
This matter is serious. The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so — in accordance with what Missouri law allows AND requires.
— Governor Mike Parson (@GovParsonMO) October 14, 2021
A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code.
— Governor Mike Parson (@GovParsonMO) October 14, 2021
We will not rest until we clearly understand the intentions of this individual and why they were targeting Missouri teachers.
— Governor Mike Parson (@GovParsonMO) October 14, 2021
In a follow-up report regarding the governor’s threats, the Post-Dispatch deftly — and perhaps sarcastically — pointed out that the Show Me State’s executive appeared more interested in prosecuting those who uncovered the “faulty system” than he appeared interested in targeting those who actually built it and operated it. Or, despite his state’s nickname, perhaps the governor didn’t like to be shown anything at all.
The state website which led to the governor’s threats of prosecution reportedly contained a portal for the public to identify the license status of Missouri teachers.
“No private information was clearly visible” on the state website, the Post-Dispatch said. “The teachers’ Social Security numbers were present in the publicly visible HTML source code of the pages involved.”
Parson characterized the newspaper’s efforts to view the source code as clandestine at best or illegal at worst. Here, the governor references DESE — that’s the state’s Department of Elementary and Secondary Education:
We want to be clear, this DESE hack was more than a simple “right click.”
THE FACTS: An individual accessed source code and then went a step further to convert and decode that data in order to obtain Missouri teachers’ personal information. (1/3) pic.twitter.com/JKgtIpcibM
— Governor Mike Parson (@GovParsonMO) October 14, 2021
This data was not freely available, and by the actors own admission, the data had to be taken through eight separate steps in order to generate a SSN. (2/3)
— Governor Mike Parson (@GovParsonMO) October 14, 2021
Under Missouri law, a person commits the offense of tampering with computer data if her or she knowingly and without authorization accesses, takes, and examines personal information. Section 569.095, RSMo. (3/3)
— Governor Mike Parson (@GovParsonMO) October 14, 2021
Attorney Joseph Martineau represents the Post-Dispatch. He walked the newspaper’s readers through the relevant law and deflated the governor’s attempt to convince the electorate that “hacking” had occurred.
“The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse,” Martineau said in a later Post-Dispatch report. “A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent.”
In other words, Parson at least identified the sticking point of the inquiry — the intent of the actor — but his probe will likely come up flat if he intends to prove a case beyond a reasonable doubt.
“For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded,” Martineau added. “Thankfully, these failures were discovered.”
DESE said in a press release that it sought assistance from the state’s Office of Administration – Information Technology Services Division to remedy the issue:
Upon learning of this vulnerability, ITSD removed public access from the system and updated the code to remediate the vulnerability immediately. All similarly situated public-facing systems were evaluated for this vulnerability and no other instances were found. Modernizing the State’s systems is a high priority to assure ever changing security threats are addressed.”
At times, Parson lashed out at the newspaper during a morning press conference.
“They were acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet,” Parson said. “We will not let this crime against Missouri teachers go unpunished and we refuse to let them be a pawn in the news outlet’s political vendetta.”
Parson claimed fixing the issue might cost taxpayers $50 million while attempting to blame the newspaper, not the website’s developers, for the problem.
From the opposite end of the state, the Kansas City Star noted that the Show Me State had long employed a process of “scouring public information in search of security gaps” in state systems.That process “stands in marked contrast to how Parson reacted Thursday,” the newspaper along the western edge of Missouri said.
The Star further explained that state audits had for years indicated that DESE systems were vulnerable. It characterized the fight Parson picked with its competing publication on the eastern side of the state as one which “raised concerns about press freedom.”
“Another official might have thanked the newspaper for spotting the flaw and giving a heads-up before publicizing it — or at least downplayed what appears to be an embarrassing government mishap,” the Washington Post observed from the seat of federal power on the East Cost.
Online criticism of the governor’s hard-line stance against the Post-Dispatch was harsh. Some pointed out the difference between reading code served up by a state computer server and actually entering a protected or encrypted system without authorization.
Gov. Parson is threatening to prosecute a journalist who 100% did the ethical thing by telling the state they were publishing teacher SSNs online, then holding publication of the story until after the state fixed it. That’s the gold standard for reporting security failures. https://t.co/gVCWV7elzE
— Tony Webster (@webster) October 14, 2021
Looking at source code isn’t hacking, and it’s easily doable by anyone with access to a web browser.
— Adrienne P🎃rter Felt (@__apf__) October 14, 2021
That’s a fancy way of saying, “We stored teachers’ SSNs in plain text, and now we’re trying to deflect blame onto the concerned citizen who notified us of the issue.”
— Alyssa Voronin (@TranshumanBlues) October 14, 2021
No, you’re right. It wasn’t one click. It was 3 to 5 clicks. On a webpage that your webserver SERVED to the public.
On behalf of everyone who actually understands how computers work, please get a clue.https://t.co/IyLRjQjaGr
— Catdraíochta 🌍🌹🇮🇪 (@CatsCavern) October 14, 2021
I don’t know what data was accessed, or what political party you’re with – nor do I really care. It’s not my country.
But I do care that you’re spreading disinformation instead of taking ownership of the fact that you freely shared the data with the public on your webserver.
— Catdraíochta 🌍🌹🇮🇪 (@CatsCavern) October 14, 2021
whoever is explaining html encoding/decoding to you has no fucking clue what they’re talking about, Mike. the State of Missouri has leaked teachers’ PII, they have not been “hacked.” this is a pathetic attempt at misdirection of blame.
— Road 0f Excess (@Palace0fWisdom) October 14, 2021
OR your IT department is covering their own asses by feeding you this technobabble and no one in your administration is savvy enough to know better.
— Road 0f Excess (@Palace0fWisdom) October 14, 2021
To be CLEAR, HTML source code is FREELY available on a web page. It is NEVER secure.
THE FACTS: If your devs put PII (such as SS numbers) in HTML source code, then they made a massive security blunder. The problem is with the developer of the app, not the reporter.
— Adam Pavlacka (@gamescan) October 14, 2021
This is more than a “security blunder”. @GovParsonsMO, your web developers encoded (without encryption) SSNs and displayed them openly on the web.
You have a massive data breach here. You need to engage a competent Incident Response firm & legal counsel immediately.
— Ben Goerz (@bengoerz) October 14, 2021