JEFFERSON CITY, Mo. (AP) — Gov. Mike Parson on Thursday condemned the St. Louis Post-Dispatch for exposing a flaw in a state database that allowed public access to thousands of teachers’ Social Security numbers, even though the paper held off from reporting about the flaw until after the state could fix it.
Parson told reporters outside his Capitol office that the Missouri State Highway Patrol’s digital forensic unit will be conducting an investigation “of all of those involved” and that his administration had spoken to the prosecutor in Cole County.
The governor suggested that the Post-Dispatch journalist who broke the story committed a crime and said the news outlet would be held accountable.
The state’s schools department had earlier referred to the reporter who broke the story as “a hacker.”
The Post-Dispatch broke the news about the security flaw on Wednesday. The newspaper said it discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials.
It notified the Department of Elementary and Secondary Education and gave it time to fix the problem before the story was published.
After removing the pages from its website Tuesday, the agency issued a news release that called the person who discovered the vulnerability a “hacker” — an apparent reference to the reporter — who “took the records of at least three educators.” The agency didn’t elaborate as to what it meant by “took the records” and it declined to discuss the issue further when reached by The Associated Press.
The Post-Dispatch journalist found that the school workers’ Social Security numbers were in the HTML source code of the pages. It estimated that more than 100,000 Social Security numbers were vulnerable.
Source codes are accessible by right-clicking on public webpages.
The newspaper’s president and publisher, Ian Caso, said in a statement that the Post-Dispatch stands by the story and journalist Josh Renaud, who he said “did everything right.”
“It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to the Department of Elementary and Secondary Education’s attention,” Caso said.
Parson suggested that Renaud somehow broke the law.
“This individual is not a victim,” Parson, a Republican, told reporters. “They were acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet. We will not let this crime against Missouri teachers go unpunished.”
Peter Swire, a cyber law expert and professor at the Georgia Institute of Technology’s School of Cybersecurity and Privacy, said flagging security vulnerabilities on publicly accessible websites is a “public service” and is “clearly not criminal under federal law.”
“Right-clicking does not count as criminal hacking,” Swire said.
Joseph Martineau, an attorney for the Post-Dispatch, said in a statement that Renaud “did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse. A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent.”
“For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded,” Martineau said.
Renaud’s bio lists him as a developer for the Post-Dispatch, focusing on interactive data presentations.
Jean Maneke, an attorney for the Missouri Press Association, said she doubted any judge “would allow this to proceed very far.”
“Clearly the Post-Dispatch warned the state of this issue,” Maneke said. “There’s no evidence of any criminal or malicious intent in the act. There’s no attempt to steal information. There’s no basis for him (Parson) to say there’s any kind of illegal act from the Post-Dispatch.”
Byron Clemens, a spokesman for AFT St. Louis, Local 420, said the teachers union isn’t aware of any educators’ information being misused.
“But we are concerned over the attempt to deflect responsibility and politicize what is very obviously a security breach by the state,” Clemens said in a statement.
