Missouri's governor vows to prosecute a reporter who told the state about a data security risk
The St. Louis Post-Dispatch discovered a flaw that exposed Social Security numbers for more than 100,000 Missouri teachers and alerted the state before publishing its findings, but the state is calling the act an unauthorized hack.
Missouri Gov. Mike Parson on Thursday launched a criminal investigation of a St. Louis Post-Dispatch reporter who exposed flaws on a state website that left more than 100,000 social security numbers of teachers, administrators and counselors vulnerable.
The investigation comes one day after the paper published its story and two days after the paper alerted the state of the vulnerabilities and held off running it so the state could protect the website.
The investigation begins today and according to Parson said the investigation could cost taxpayers as much as $50 million but did not detail those costs or take questions at a news conference Thursday.
During the media briefing, Parson said he is sending information to the Cole County prosecutor along with the Missouri State Highway Patrol’s Digital Forensic Unit and said the reporter acted against the state agency in “an attempt to embarrass the state and sell headlines.”
“The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so,” Parson said.
A statement from the Post-Dispatch said the reporter did the responsible thing by reporting their findings to the education department so it could then prevent misuse of the vulnerable information.
“A hacker is someone who subverts computer security with malicious or criminal intent,” said Joe Martineau, an attorney for the paper. “Here, there was no breach of any firewall or security and certainly no malicious intent.”
Parson said because the reporter who found this vulnerability did not have the authorization to access or decode the data, their actions are defined as a hack. He also said in addition to criminal charges, a civil suit could also be possible.
According to the Post-Dispatch report, it discovered the vulnerability in a web application that allowed the searching of teacher certification and credentials. Social security numbers were found in the HTML source code in the involved pages.
The paper said it delayed publishing to give the education department “time to protect teachers’ private information.”
The department has since removed the affected pages from its website as a result of the paper’s investigation.
Parson called the actions “a crime against teachers” and said the state would “hold accountable” not only the reporter who accessed the information but those who aided them, along with the paper as well.
Concerning the vulnerability of the website, Parson said these records were only available on an individual basis and were unable to be decoded all at once.
He said the state is working on strengthening the security of its web pages.
“We are addressing areas in which we need to do better than we have done before,” Parson said.
Follow Sarah on Twitter: @Sarahkellogg
Copyright 2021 St. Louis Public Radio. To see more, visit St. Louis Public Radio.