Jacob Moscovitch / Getty Images
Missouri Governor Mike Parson vows to prosecute the staff of the St. Louis Post-Expedition after the newspaper said it discovered security holes in a state agency’s website.
The governor calls the incident a hacking and said Thursday the state will investigate what could cost taxpayers $ 50 million.
“Not only will we hold this individual to account, but we will also hold accountable all those who have helped this individual and the media company that employs them,” Parson said at a press conference.
The backstory is a bit complicated, so stick with us. It starts with a website operated by the state’s Department of Elementary and Secondary Education.
The Post-shipment said in an article published Wednesday night that an anonymous reporter discovered flaws in this website that made the social security numbers of teachers and other school staff “vulnerable to public exposure.”
The issue was with a web application that allowed the public to search for teachers’ certifications and credentials. The newspaper said no private information was clearly visible or searchable, but teachers’ social security numbers were contained in the HTML source code of those pages. More than 100,000 social security numbers were vulnerable, he added.
Newspaper staff reportedly alerted DESE to the results and delayed publication of the article, to give the agency time to protect teachers’ personal information and allow the state to check other websites for risk. similar.
DESE said it informed the IT services division of the Missouri Office of Administration to disable the problematic search tool as soon as the vulnerability was verified.
“The state is not aware of any misuse of individual information or even if information was accessed inappropriately outside of this isolated incident,” he said in a press release on Wednesday.
But that press release also put the blame on the individual who discovered the security breach. They described it as a multi-step process in which “a hacker took the records of at least three educators, decoded the HTML source code, and looked up the Social Security Number (SSN) of those specific educators.”
(The HTML source code is publicly available to anyone with a web browser and can be viewed with a few clicks.)
The Post-shipment contested the agency’s qualification. In fact, he said, his staff discovered the vulnerability and then confirmed with three educators and a cybersecurity expert that the nine-digit numbers were in fact social security numbers.
He also pointed out that DESE had failed to acknowledge – in its press release and in a letter to teachers – the full extent of the vulnerability and the fact that thousands of social security numbers “had been accessible to anyone through the DESE’s own search engine “.
Joseph Martineau, the Post-shipmentThe lawyer for, called DESE’s deviation and accusation “unfounded” in a statement released by the newspaper.
“The journalist acted responsibly in reporting his findings to DESE so that the state can act to prevent disclosure and misuse,” he wrote. “A hacker is someone who subverts computer security with malicious or criminal intent. Here there has been no firewall or security breach and certainly no malicious intent.”
A DESE spokesperson told NPR by email on Thursday that “we are confident that the OA-ITSD has now protected educator data to prevent further exposure.” She directed NPR to the agency’s previous press release, but declined to comment further, citing the ongoing investigation.
Governor wants to use state resources to investigate newspaper
Parson called a press conference Thursday, where he vowed to prosecute the alleged hack, then declined to answer reporters’ questions.
He said his administration had notified the Cole County district attorney and that the Missouri State Highway Patrol’s digital forensic unit would also open an investigation into “everyone involved.”
These efforts could cost taxpayers up to $ 50 million while diverting workers and resources from other staging agencies, he said. But he said the state had vowed to “stand up against all perpetrators who attempt to steal personal information and harm Missourians.” He also said the state will work to address these security concerns.
“This individual is not a victim,” he said. “They were acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell titles for their media.”
Martineau did not respond to NPR’s request for comment regarding the governor’s accusations.
Parson cited a state law that defines the offense of tampering with computer data, arguing that nothing on DESE’s website authorized that person to access teacher data.
He also said the law allows his administration to take civil action to recover damages against everyone involved, and categorically said they refused to let teachers be “a pawn in the political vendetta of the government. media “.
“We apologize to the hard-working Missouri teachers who now have to wonder if their personal information has been compromised for pathetic political gain by what is supposed to be one of the Missouri news outlets,” Parson said, describing them as having been put in the middle.
The Missouri State Teachers Association did not comment publicly on the governor’s remarks, but released a statement Thursday afternoon saying vulnerabilities in the DESE website have eroded educators’ confidence and calling on the state to “deploy all resources necessary “to protect their personal information. .
This is not the first time Parson has taken on the media during the pandemic. As the Kansas City Star put it, he “bristled with unfavorable reporting and distinguished The star, the post-expedition and the Independent from Missouri for criticism of their reporting on COVID-19. ”
This raises concerns about press freedom
Local and national critics express their support for the newspaper and its right to freedom of expression.
Matt Bailey, director of PEN America’s digital freedom program, called the governor’s characterization of the journalist’s actions “an affront to democracy, the free press and the public interest” in a statement provided to NPR.
“And this comes at a time when opportunistic political leaders seek to demonize the press,” he added. “Such cowardly acts simply serve the governor’s short-term interests; in the long run, they undermine an already precarious information ecosystem, where a growing number of people distrust credible accountability reports. ”
He added that the newspaper and its reporters acted responsibly in disclosing and then reporting on security concerns, saying they did so in accordance with legal and ethical standards.
“Missouri Governor Mike Parson’s threats of legal action against the St. Louis Post-Dispatch and its reporter for reporting a security breach on a state website are absurd,” said Katherine Jacobsen, US program coordinator and Canadian Committee to Protect Journalists. in a report. “Using journalists as political scapegoats by branding routine research ‘hacking’ is a bad attempt to distract public attention from the government’s own security failure. ”
Jean Maneke, a lawyer for the Missouri Press Association, told The Associated Press that she doubted a judge “would allow this to go very far.”
She said the newspaper’s warning the state of the security risk indicates it was not acting with criminal or malicious intent.
Democratic State Representative Crystal Quade, House Minority Leader, issued a statement Thursday, saying Parson should thank the paper, not threaten it.
“In the true tradition of public service journalism, the Post-Dispatch uncovered a problem – a publicly discernible problem for anyone who bother to watch; it verified the problem with experts; and it brought the problem to the fore. the attention of state officials for corrective action, “she wrote. “The governor should direct his anger at the state government’s failure to keep its technology secure and up to date and work to resolve the problem, not threaten journalists with lawsuits for discovering these failures.”