Missouri gov slams paper for uncovering data security flaw - Albuquerque Journal

Missouri gov slams paper for uncovering data security flaw

JEFFERSON CITY, Mo. — Republican Gov. Mike Parson on Thursday condemned one of Missouri’s largest newspapers for exposing a flaw in a state database that allowed public access to thousands of teachers’ Social Security numbers, even though the paper held off from reporting about the flaw until after the state could fix it.

Parson told reporters outside his Capitol office that the Missouri State Highway Patrol’s digital forensic unit will be conducting an investigation “of all of those involved” and that his administration had spoken to the prosecutor in Cole County, which includes the state capital, Jefferson City. He didn’t elaborate as to what he meant by “involved” or whether investigators would be looking into whether the St. Louis Post-Dispatch broke the law during the course of its reporting on the data vulnerability.

The Post-Dispatch broke the news about the security flaw on Wednesday. The newspaper said it discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials.

The Department of Elementary and Secondary Education removed the pages from its website on Tuesday after being told about the issue by the Post-Dispatch, which said it gave the state time to fix the problem before it published its story.

The Post-Dispatch estimated that more than 100,000 Social Security numbers were vulnerable, based on pay records and other data. It found that the school workers’ Social Security numbers were in the HTML source code of the pages involved.

“The state is unaware of any misuse of individual information or even whether information was accessed inappropriately outside of this isolated incident,” the DESE said in a news release.

Though the Post-Dispatch alerted the agency to the problem and held off on the story, the agency’s news release called the person who discovered the vulnerability a “hacker” — an apparent reference to the reporter — who “took the records of at least three educators.” The agency didn’t elaborate as to what it meant by “took the records” and it declined to discuss the issue further than what it said in its news release when reached by The Associated Press.

Source codes are accessible by right-clicking on public webpages.

The newspaper’s president and publisher, Ian Caso, said in a statement that the Post-Dispatch stands by the story and the reporter, who he said “did everything right.”

“It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to the Department of Elementary and Secondary Education’s attention,” Caso said.

Parson also suggested that the reporter somehow broke the law.

“This individual is not a victim,” Parson told reporters. “They were acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet. We will not let this crime against Missouri teachers go unpunished.”

Peter Swire, a cyber law expert and professor at the Georgia Institute of Technology’s School of Cybersecurity and Privacy, said flagging security vulnerabilities on publicly accessible websites is a “public service” and is “clearly not criminal under federal law.”

“Right clicking does not count as criminal hacking,” Swire said.

Joseph Martineau, an attorney for the Post-Dispatch, said in a statement that the reporter “did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse. A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent.”

“For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded,” Martineau said.

Jean Maneke, an attorney for the Missouri Press Association, said she doubted any judge “would allow this to proceed very far.”

“Clearly the Post-Dispatch warned the state of this issue,” Maneke said. “There’s no evidence of any criminal or malicious intent in the act. There’s no attempt to steal information. There’s no basis for him (Parson) to say there’s any kind of illegal act from the Post-Dispatch.”

Byron Clemens, a spokesman for AFT St. Louis, Local 420, said the teachers union isn’t aware of any educators’ information being misused.

“But we are concerned over the attempt to deflect responsibility and politicize what is very obviously a security breach by the state,” Clemens said in a statement.

Meanwhile, Parson said the state will address security issues raised by the newspaper’s reporting.

“We are working to strengthen our security to prevent this incident from happening again,” Parson said. “The state is owning its part, and we are addressing areas in which we need to do better than we have done before.”


Salter reported from O’Fallon, Missouri.

Albuquerque Journal and its reporters are committed to telling the stories of our community.

• Do you have a question you want someone to try to answer for you? Do you have a bright spot you want to share?
   We want to hear from you. Please email yourstory@abqjournal.com

Nativo Sponsored Content

taboola desktop


PNM-Avangrid merger rejected by PRC
ABQnews Seeker
Commission cites 'demonstrated record' of poor ... Commission cites 'demonstrated record' of poor behavior from companies
Congressional map splitting ABQ advances in NM Senate
ABQnews Seeker
Democrats would have an edge in ... Democrats would have an edge in three districts, analysts say, angering GOP
COVID hospitalizations most since first of year
ABQnews Seeker
Patients lashing out at health care ... Patients lashing out at health care workers over long wait times
APD: Videos show man pummeling infant son
ABQnews Seeker
Seen saying 'die' to child Seen saying 'die' to child
Photo of gun in backpack stirs fears at La ...
ABQnews Seeker
Parents, students assail school stance on ... Parents, students assail school stance on matter
Senator, Governor's Office escalate spending dispute
ABQnews Seeker
Sen. Jacob Candelaria accused of grandstanding ... Sen. Jacob Candelaria accused of grandstanding in court filing
‘Disrespect’ a factor in fatal shooting
ABQnews Seeker
Detectives arrested a man accused of ... Detectives arrested a man accused of fatally shooting another man with not one, but two guns for disrespecting him last weekend at an apartment ...
Jurors to visit the scene of 10-year-old Victoria Martens’ ...
ABQnews Seeker
Jurors in the child death trial ... Jurors in the child death trial of Fabian Gonzales will board a bus and make a 'site visit' to the apartment where 10-year-old Victoria ...
NM House advances new map for 70-seat chamber over ...
ABQnews Seeker
Map still has to be approved ... Map still has to be approved by the Senate and the governor in order to take
ACLU: Inquiry needed into BCSO shooting
ABQnews Seeker
Death of 18-year-old requires independent investigation, ... Death of 18-year-old requires independent investigation, group says