On Tuesday, a reporter with the St. Louis Post-Dispatch alerted the state that Social Security numbers of school teachers and administrators were vulnerable to public exposure due to flaws on a website maintained by Missouri’s department of education.
The newspaper agreed to hold off publishing any story while the department fixed the problem and protected the private information of teachers around the state.
But by Thursday, Gov. Mike Parson was labeling the Post-Dispatch reporter a “hacker” and vowing to seek criminal prosecution.
“The state does not take this matter lightly,” Parson said Thursday at a hastily called press conference. He refused to take questions afterward.
Parson said he had referred the matter to the Cole County Prosecutor and has asked the Missouri State Highway Patrol to investigate.
“This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians,” he said.
According to the Post-Dispatch, one of its reporters discovered the flaw in a web application allowing the public to search teacher certifications and credentials. No private information was publicly visible, but teacher Social Security numbers were contained in HTML source code of the pages.
The state removed the search tool after being notified of the issue by the Post-Dispatch. It was unclear how long the Social Security numbers had been vulnerable.
In a press release Wednesday, the Office of Administration Information Technology Services Division said that through a multi-step process, a “hacker took the records of at least three educators, decoded the HTML source code, and viewed the social security number of those specific educators.”
The state is unaware of any misuse of individual information or even whether information was accessed inappropriately outside of this isolated incident.
Parson said Thursday that he wasn’t sure why the reporter had accessed the information. He claimed it was part of a “political game by what is supposed to be one of Missouri’s news outlets.”
“The state is committed to bring to justice anyone who hacked our system and anyone who aided and abetted them to do so,” Parson said, later arguing that the reporter was “attempting to embarrass the state and sell headlines for their news outlet.”
State Rep. Tony Lovasco, a Republican, who according to his legislative biography has worked in software deployment and maintenance, tweeted Thursday that “it’s clear the Governor’s Office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities.
“Journalists responsibly sounding an alarm on data privacy is not criminal hacking,” he said.
Chris Vickery, a California-based data security expert, told The Independent that it appeared the department of education was “publishing data that it shouldn’t have been publishing.
“That’s not a crime for the journalists discovering it,” he said. “Putting Social Security numbers within HTML, even if it’s ‘non-display rendering’ HTML, is a stupid thing for the Missouri website to do and is a type of boneheaded mistake that has been around since day one of the Internet. No exploit, hacking or vulnerability is involved here.”
In explaining how he hopes the reporter and news organization will be prosecuted, Parson pointed to a state statute defining the crime of tampering with computer data. Vickery said that statute wouldn’t work in this instance because of a recent decision by the U.S. Supreme Court in the case of Van Buren v. United States.
The court ruled in that case that someone violates the law when they access files or other information that is off-limits to them. In Missouri, Vickery said, the state was publishing “the HTML source to the public internet, with no hurdles of a password or other requisite form of authentication challenge, means the public can reasonably assume to be authorized to view that content for the purposes of laws related to ‘computer trespass’ forms of offense.”
The Post-Dispatch published a statement in response from its attorney, saying the reporter “did the responsible thing by reporting his findings to [the Department of Elementary and Secondary Education] so that the state could act to prevent disclosure and misuse.
“A hacker is someone who subverts computer security with malicious or criminal intent,” the statement continued. “Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”
House Minority Leader Crystal Quade, D-Springfield, said the Post-Dispatch deserved praise, not threats, for discovering a problem.
“The governor should direct his anger towards the failure of state government to keep its technology secure and up to date and to work to fix the problem,” she said, “not threaten journalists with prosecution for uncovering those failures.”
This article by Jason Hancock is published by permission of The Missouri Independent.