SCREENSHOT VIA FACEBOOK
Missouri Gov. Parson is blaming a reporter for finding a security flaw in a state website.
The discovery that Social Security numbers of thousands of Missouri teachers were exposed on a state-operated website has spurred Gov. Mike Parson to call for criminal charges against the St. Louis Post-Dispatch
journalist who alerted officials to the vulnerability.
In a press conference Thursday
, Parson levied a direct attack on the newspaper and its reporter Josh Renaud — but Parson pointedly did not name Renaud, or the newspaper, instead offering a version of the controversy in which the state's education department "was made aware of a vulnerability" in a website storing personal information of Missouri teachers.
"This was clearly a hack," Parson said, adding later that the incident "may cost Missouri taxpayers as much as $50 million" and that his administration has contacted the Cole County Prosecutor's Office to pursue a criminal investigation.
But there was very little that's clear about Parson's accusations, which omitted key context about the role of a professional reporter contacting Missouri officials about a blatant security vulnerability in a state website.
On Wednesday evening, the Post-Dispatch
published Renaud's findings under the headline, "Missouri teachers’ Social Security numbers at risk on state agency's website."
The report described how a teacher certification search tool — an online feature maintained by the Department of Elementary and Secondary Education, or DESE — allowed any visitor to view a teacher's Social Security numbers in the page's HTML source code.
did not find any evidence that the personal data had been accessed or exploited, but this wasn't a benign discovery: A public web page's source code is designed for public access, as it is often referenced, or crawled, by search engines and web advertisers. It is not generally hidden by a password, which appears to be the case for the DESE search tool that became the subject of the Post-Dispatch
's inquiries. (You can try it yourself: For instance, on Google's Chrome browser, right-clicking on a page reveals the option to view the "Page source" and "Inspect" tool, which allows a user to view some information about the files and design used in the web page.)
This wasn't a hack, but, as the Post-Dispatch
story made clear, a web design mistake with potential harm at a vast scale. According to Renaud's findings, "based on state pay records and other data, more than 100,000 Social Security numbers were vulnerable."
The state reacted to Renaud's inquirers. On Tuesday, October 12, the search tool was taken down. When Renaud's story was published one day later, it included the acknowledgment that the newspaper "delayed publishing this report to give the department time to take steps to protect teachers’ private information, and to allow the state to ensure no other agencies' web applications contained similar vulnerabilities."
The story includes multiple quotes from DESE spokeswoman Mallory McGowin, including a confirmation that the department's data team had acted "to get that search tool pulled down immediately, so we can dig into the situation and learn more about what has happened."
McGowin was also quoted saying that the department had begun an audit, but had not found any other instances of the vulnerability in its other web tools. She apparently remained in contact with the Post-Dispatch
as late as Tuesday.
Then, something changed. In an October 13 letter sent to teachers
and published as a press release on the DESE website, Education Commissioner Margie Vandeven wrote that the department had been "made aware" that personal information "was potentially compromised" within the data available on DESE’s website.
There was no mention of the Post-Dispatch
or its reporter; the letter instead claimed that "through a multi-step process, a hacker took the records of at least three educators, decoded the HTML source code, and viewed the social security number (SSN) of those specific educators."
The letter leaves out the fact that the supposed "hacker" was the same person who had made the department aware of the security hole — and that the three records taken had been provided to a Saint Louis University professor for verification of the vulnerability, a detail spelled-out in the eventual story.
Shaji Khan, the cybersecurity expert who reviewed the Post-Dispatch
's findings, is quoted in the October 13 story, explaining that this particular kind of security flaw has been known "for at least 10-12 years, if not more," and exclaiming, "The fact that this type of vulnerability is still present in the DESE web application is mind boggling!”
But that's not the outrage Parson is now stoking. On Thursday, the governor repeated the DESE letter's precise wording and key omissions. He accused a "hacker" of using "a multi-step process" to take records "of at least three educators" and who also "decoded the HTML source code and viewed the Social Security number of those specific educators."
While Parson's remarks copied the careful reshuffling of events that debuted in DESE's earlier letter, the press conference took the argument several steps further — while still conceding that he is attacking a news organization because it is trying to "embarrass" his administration.
"Nothing on DESE's website gave permission or authorization for this individual to access teacher data," Parson said. "This individual is not a victim, they were acting against a state agency to compromise teachers' personal information in an attempt to embarrass the state and sell headlines for their news outlet. We will not let this crime against Missouri teachers go unpunished and we refuse to let them be a pawn in the newspaper's political vendetta."
Parson's remarks were boldly self-contradictory, showing both an awareness of the details of Renaud's reporting — which had prompted DESE to take down the vulnerable web page in the first place — while presenting the journalists' actions as "wrongdoing committed by bad actors."
While repeatedly referencing "an individual" reporter and a news organization, Parson feigned ignorance toward the journalist's motives and, moments later, accused him of compromising teachers' personal information "for pathetic political gain."
"We also do not know why this individual is seeking to access, convert and take personal information from Missouri teachers," Parson said, and vowed, "We will not rest until we clearly understand the intentions of this individual and why they were targeting Missouri teachers."
is pushing back against the governor. Renaud has not responded directly to Parson's accusations. In a statement included in the October 13 story that broke the news of the DESE website vulnerability, attorney Joseph Martineau said that Renaud "had done the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse."
This wasn't an example of hacking, but watchdog journalism. Martineau argued that "there was no breach of any firewall or security" and no malicious criminal intent behind Renaud's reporting, which had led to government action to fix a pressing problem — and, now, a governor's backlash to the fallout.
“For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded," Martineau's statement concluded. "Thankfully, these failures were discovered.”
Follow Danny Wicentowski on Twitter at @D_Towski. E-mail the author at [email protected]
- Sign up for our weekly newsletters to get the latest on the news, things to do and places to eat delivered right to your inbox.
- Follow us on Facebook, Twitter and Instagram.