The governor of Missouri on Thursday vowed to prosecute staffers with the St. Louis Post-Dispatch for discovering a “vulnerability” in a state computer database that left the social security numbers of more than 100,000 “teachers, administrators and counselors” exposed to the public.
“The Post-Dispatch discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials,” the newspaper reported in the now-controversial piece. “The department removed the affected pages from its website Tuesday after being notified of the problem by the Post-Dispatch.”
The original story contains the byline of Josh Renaud who is listed as a “developer” for the newspaper. It is unclear if he is the “reporter” referenced within the article who uncovered the flaw or who did the investigative work which led to the story’s publication.
In a lengthy tweetstorm spread across several separate threads on Thursday, Missouri Gov. Mike Parson (R) called whoever was responsible for the report a “hacker” who was “targeting Missouri teachers.” Parson said state government needed to “clearly understand the intentions” of whoever was involved with the newspaper’s report and that he had ordered the Missouri Highway Patrol and a county prosecutor to “bring to justice . . . anyone who aided or encouraged” the publication. A few of the governor’s many tweets are embedded below:
In a follow-up report regarding the governor’s threats, the Post-Dispatch deftly — and perhaps sarcastically — pointed out that the Show Me State’s executive appeared more interested in prosecuting those who uncovered the “faulty system” than he appeared interested in targeting those who actually built it and operated it. Or, despite his state’s nickname, perhaps the governor didn’t like to be shown anything at all.
The state website which led to the governor’s threats of prosecution reportedly contained a portal for the public to identify the license status of Missouri teachers.
“No private information was clearly visible” on the state website, the Post-Dispatch said. “The teachers’ Social Security numbers were present in the publicly visible HTML source code of the pages involved.”
Parson characterized the newspaper’s efforts to view the source code as clandestine at best or illegal at worst. Here, the governor references DESE — that’s the state’s Department of Elementary and Secondary Education:
Attorney Joseph Martineau represents the Post-Dispatch. He walked the newspaper’s readers through the relevant law and deflated the governor’s attempt to convince the electorate that “hacking” had occurred.
“The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse,” Martineau said in a later Post-Dispatch report. “A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent.”
In other words, Parson at least identified the sticking point of the inquiry — the intent of the actor — but his probe will likely come up flat if he intends to prove a case beyond a reasonable doubt.
“For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded,” Martineau added. “Thankfully, these failures were discovered.”
DESE said in a press release that it sought assistance from the state’s Office of Administration – Information Technology Services Division to remedy the issue:
Upon learning of this vulnerability, ITSD removed public access from the system and updated the code to remediate the vulnerability immediately. All similarly situated public-facing systems were evaluated for this vulnerability and no other instances were found. Modernizing the State’s systems is a high priority to assure ever changing security threats are addressed.”
At times, Parson lashed out at the newspaper during a morning press conference.
“They were acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet,” Parson said. “We will not let this crime against Missouri teachers go unpunished and we refuse to let them be a pawn in the news outlet’s political vendetta.”
Parson claimed fixing the issue might cost taxpayers $50 million while attempting to blame the newspaper, not the website’s developers, for the problem.
From the opposite end of the state, the Kansas City Star noted that the Show Me State had long employed a process of “scouring public information in search of security gaps” in state systems.That process “stands in marked contrast to how Parson reacted Thursday,” the newspaper along the western edge of Missouri said.
The Star further explained that state audits had for years indicated that DESE systems were vulnerable. It characterized the fight Parson picked with its competing publication on the eastern side of the state as one which “raised concerns about press freedom.”
“Another official might have thanked the newspaper for spotting the flaw and giving a heads-up before publicizing it — or at least downplayed what appears to be an embarrassing government mishap,” the Washington Post observed from the seat of federal power on the East Cost.
Online criticism of the governor’s hard-line stance against the Post-Dispatch was harsh. Some pointed out the difference between reading code served up by a state computer server and actually entering a protected or encrypted system without authorization.