Story on database flaws riles governor
He warns of criminal inquiry into report on teachers’ Social Security numbers
JEFFERSON CITY, Mo. — Republican Gov. Mike Parson on Thursday condemned one of Missouri’s largest newspapers for exposing a flaw in a state database that allowed public access to thousands of teachers’ Social Security numbers, even though the paper held off on reporting about the flaw until after the state could fix it.
Parson told reporters outside his Capitol office that the Missouri State Highway Patrol’s digital forensic unit will be conducting an investigation “of all of those involved” and that his administration had spoken to the prosecutor in Cole County, which includes the state capital, Jefferson City. He didn’t elaborate as to what he meant by “involved” or whether investigators would be looking into whether the St. Louis Post-Dispatch broke the law during the course of its reporting on the data vulnerability.
The Post-Dispatch broke the news about the security flaw Wednesday. The newspaper said it discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials.
The Department of Elementary and Secondary Education removed the pages from its website Tuesday after being told about the issue by the Post-Dispatch, which said it gave the state time to fix the problem before it published its story.
The Post-Dispatch estimated that more than 100,000 Social Security numbers were vulnerable, based on pay records and other data. It found that the school workers’ Social Security numbers were in the HTML source code of the pages involved.
“The state is unaware of any misuse of individual information or even whether information was accessed inappropriately outside of this isolated incident,” the Department of Elementary and Secondary Education said in a news release.
Though the Post-Dispatch alerted the agency to the problem and held off on the story, the agency’s news release called the person who discovered the vulnerability a “hacker” — an apparent reference to the reporter — who “took the records of at least three educators.” The agency didn’t elaborate as to what it meant by “took the records,” and it declined to discuss the issue further than what it said in its news release.
Source codes are accessible by right-clicking on public webpages.
The newspaper’s president and publisher, Ian Caso, said in a statement that the Post-Dispatch stands by the story and the reporter, who he said “did everything right.”
“It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to the Department of Elementary and Secondary Education’s attention,” Caso said.
Parson suggested that the reporter somehow broke the law.
“This individual is not a victim,” Parson told reporters. “They were acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet. We will not let this crime against Missouri teachers go unpunished.”
Peter Swire, a cyber law expert and professor at the Georgia Institute of Technology’s School of Cybersecurity and Privacy, said flagging security vulnerabilities on publicly accessible websites is a “public service” and is “clearly not criminal under federal law.”
“Right clicking does not count as criminal hacking,” Swire said.
Joseph Martineau, an attorney for the Post-Dispatch, said in a statement that the reporter “did the responsible thing by reporting his findings to [the education department] so that the state could act to prevent disclosure and misuse. A hacker is someone who subverts computer security with malicious or criminal intent.
Here, there was no breach of any firewall or security and certainly no malicious intent.”
“For [the education department] to deflect its failures by referring to this as ‘hacking’ is unfounded,” Martineau said.
Jean Maneke, an attorney for the Missouri Press Association, said she doubted any judge “would allow this to proceed very far.”
“Clearly the Post-Dispatch warned the state of this issue,” Maneke said. “There’s no evidence of any criminal or malicious intent in the act. There’s no attempt to steal information. There’s no basis for him [Parson] to say there’s any kind of illegal act from the Post-Dispatch.”
Byron Clemens, a spokesman for AFT St. Louis, Local 420, said the teachers union isn’t aware of any educators’ information being misused.
“But we are concerned over the attempt to deflect responsibility and politicize what is very obviously a security breach by the state,” Clemens said in a statement.
Meanwhile, Parson said the state will address security issues raised by the newspaper’s reporting.
“We are working to strengthen our security to prevent this incident from happening again,” Parson said. “The state is owning its part, and we are addressing areas in which we need to do better than we have done before.”