Gov. Parson said fixing a security flaw found by reporter would cost $50 million. Democrats doubt that
Gov. Mike Parson demanded the investigation of a journalist who alerted the state to a website security flaw, pegging the cost to the state at $50 million. Democrats say that number is unrealistic, and it’s not clear what the money would be used for.
When Gov. Mike Parson last week angrily called for the St. Louis Post-Dispatch to be prosecuted for uncovering security flaws on a state agency website, he said the newspaper’s actions could “cost Missouri taxpayers up to $50 million.”
That amount, two Democrats on the House Budget Committee said Tuesday, is an estimate for providing credit monitoring to protect against misuse of personal data and a call center to answer questions from educators whose private data may have been exposed.
And, state Rep. Peter Merideth said, the estimate is not a very good one.
“He pulled it straight out of his ass,” Merideth said in an interview with The Independent Tuesday.
Merideth, the ranking Democrat on the committee, and Rep. Kevin Windham, D-Hillsdale, said in a news release that they asked nonpartisan appropriations staff to find out what Parson, a Republican, intended to do with the money.
They were informed, Meridith said, that the governor’s statement was “a very rough and preliminary estimate,” the funds that would be tapped have not been identified and the timeline for doing anything was unclear.
In the release, Meridith and Windham said the Post-Dispatch protected the state by holding the story until the data issue was fixed.
If the person who found the data had bad intent, Windham said, the price could have escalated.
“I remain concerned about potential costs to the state resulting from lawsuits and the like, however I’m far more concerned about the 100,000 educators whose sensitive information was handled with such negligence,” Windham said. “Our state is incredibly fortunate that the person who found this vulnerability reported it to the state as soon as they did.”
The reason the estimate is questionable, Meridith said, is that it may duplicate something the state has already been forced to do to protect the data of educators.
The state purchased 24 months of credit monitoring for potential victims of a data security problem at the Public School and Education Employees Retirement System, the Post-Dispatch reported Tuesday. The system notified its more than 128,000 active members and 100,000 beneficiaries of the Sept. 11 breach the same day that Parson lashed out at the story about teacher data.
The data for about 100,000 active educators was accessible through the Department of Elementary and Secondary Education website.
“I doubt it costs $50 million for 100,000 people to have credit monitoring,” Meridith said.
In the story that enraged Parson, the Post-Dispatch reported a website set up for the public to search the credentials of individual educators exposed Social Security numbers. The numbers were visible embedded in the code that tells the computer how to display a page, which can be viewed by pressing the F12 key on both Apple and Microsoft operating systems.
The reporter viewed three Social Security numbers, the newspaper reported. The Post-Dispatch informed the department and refrained from publishing a story about the issue until the data was no longer available.
In the statement Parson read to reporters without taking questions, he said the reporter who found the issue was a hacker and that viewing the data was a crime. He said he referred the case to Cole County Prosecuting Attorney Locke Thompson and that the Missouri State Highway Patrol would investigate.
“This incident alone may cost Missouri taxpayers as much $50 million and divert workers and resources from other state agencies,” Parson said. “This matter is a serious matter.”
By making that statement as he described the law enforcement response, Meridith said, Parson was suggesting that the investigation would cost that much.
“He very clearly was trying to suggest that this was what we would have to spend to hold this guy accountable, or this is what we have to spend because of what this journalist did,” Meridith said to The Independent. “The money is because of the exposure and the failure of the state to maintain the security of the data.”
Parson defended his call for prosecution in a Facebook post the day after his public statement.
“This information was not freely available and was intentionally decoded,” Parson wrote. “By the actor’s own admission, the data had to be taken through eight separate steps in order to generate a (Social Security number).”
This story was originally published on the Missouri Independent.