Missouri Gov. Mike Parson on Thursday called for a criminal investigation into a reporter who discovered a vulnerability on a state website that left the Social Security numbers of thousands of public school teachers exposed.
Journalist Josh Renaud of The St. Louis Post-Dispatch, posted an article Wednesday about a vulnerability in the State Department of Primary and Secondary Education. Viewing the HTML source code on the site revealed the names of the teachers and their social security numbers, Renaud wrote, and he contacted three teachers to verify the numbers were genuine.
Renaud also delayed the release of his findings until website administrators were able to ensure the numbers were no longer publicly visible, which is considered standard good practice in cybersecurity reporting.
But Parson said Renaud’s research and reports amount to criminal hacking, which sparked an investigation into state law enforcement.
The announcement worried cybersecurity law experts who say accusing the journalist of a crime could have a chilling effect on researchers and others who discover such vulnerabilities.
“It is incredibly wrong to characterize what happened here as anything less than fully responsible and ethical,” said Aaron Mackey, a lawyer with the Electronic Frontier Foundation, a nonprofit advocating for rights. digital.
“It’s a short story. It is important for the public and the people of Missouri to know that the state does not secure the personal information of hundreds of thousands of people and leaves them vulnerable, ”he said.
The internet is teeming with vulnerabilities that expose personal information to potential hackers, and vulnerabilities like the one discovered by Renaud are frequently covered by the media. But in a speech Thursday, Parson accused Renaud of criminal hacking and said he referred the incident to the Cole County District Attorney’s Office and the state highway patrol.
“This individual is not a victim,” Parson said. “They were acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell titles for their media. We will not let this crime against teachers in Missouri go unpunished, and we refuse to let them be a pawn in the media’s political vendetta.
A spokesperson for the Missouri State Highway Patrol confirmed in an email that it was investigating “potential unauthorized access to Department of Elementary and Secondary Education data.” Cole County General Counsel Locke Thompson said in an email he would wait until this investigation is completed before deciding whether or not to lay charges.
An attorney for The St. Louis Post-Dispatch, Joe Martineau, said in an emailed statement that Renaud “did the responsible thing” by disclosing his findings to the state.
“There has been no firewall or security breach here and certainly no malicious intent,” Martineau said. “Fortunately, these failures have been discovered. “
Marcia Hoffman, a digital rights lawyer, said the state of Missouri should thank Renaud, not charge him.
“Missouri shouldn’t be suing anyone here,” Hoffman said in a text message. “Instead, the governor should congratulate the Post-Dispatch and its reporters for uncovering a serious confidentiality issue and for informing the responsible agency so the vulnerability can be remedied.”
“Maybe this situation is a little embarrassing for the state, but here’s the important thing: The website no longer creates unnecessary risk for 100,000 educators,” she said.