Skip to main contentSkip to main content
You are the owner of this article.
You have permission to edit this article.
Edit

Missouri officials planned to thank Post-Dispatch before threatening newspaper, emails show

From the Essential reading: Governor threatens Post-Dispatch after discovery of data vulnerability series
Gov. Mike Parson 'hacker' allegation

After the St. Louis Post-Dispatch reported first to the state and then in a news story that teacher Social Security numbers were at risk of exposure on a state website, Gov. Mike Parson said on Oct. 14 that the state would investigate, calling the newspaper’s actions “hacking.”

{{featured_button_text}}

JEFFERSON CITY — Before blaming the Post-Dispatch, the Department of Elementary and Secondary Education was preparing to thank the newspaper for discovering a significant data vulnerability, according to records obtained by the Post-Dispatch through a Sunshine Law request.

In an Oct. 12 email to officials in Gov. Mike Parson’s office, Mallory McGowin, spokeswoman for DESE, sent proposed statements for a press release announcing the data vulnerability the newspaper uncovered.

“We are grateful to the member of the media who brought this to the state’s attention,” said a proposed quote from Education Commissioner Margie Vandeven.

The Parson administration and DESE did not end up using that quote.

The next day, on Oct. 13, the Office of Administration issued a news release calling the Post-Dispatch journalist a “hacker.”

And on Oct. 14, Parson held a news conference to rail against the Post-Dispatch and announce a criminal investigation by the Missouri State Highway Patrol.

“We will not let this crime against Missouri teachers go unpunished,” Parson said at the news conference. “And we refuse to let them be a pawn in the news outlet’s political vendetta. Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them.”

The Post-Dispatch reported on the vulnerability the night before, saying a flaw on a DESE website left more than 100,000 Social Security numbers of educators vulnerable to disclosure.

The newspaper didn’t publish its report until after the state moved to protect the vulnerable information.

A web application that allowed the public to look up teacher certifications and credentials contained the vulnerability, the newspaper reported.

No private information was clearly visible. The Social Security numbers for school teachers, administrators and counselors were present in the HTML source code of the publicly available pages involved.

Emails obtained by the newspaper document the administration’s shift in tone.

At 1:18 p.m. on Oct. 13, McGowin emailed Kelli Jones and Johnathan Shiflett, who both work in the governor’s office, to say Vandeven wanted her to meet with governor’s office officials.

“Margie asked me to come over and meet you all — on my way,” she said.

In a draft news release sent at 3:46 p.m., McGowin used the word “individual” to refer to the Post-Dispatch reporter. At 4:20 p.m., Shiflett sent a draft that used the word “hacker” instead to refer to the reporter.

“Mallory — we only made a few additional edits after yours,” Shiflett said.

Meanwhile, at 3:24 p.m. on Oct. 13, Angie Robinson, cybersecurity specialist for the state, emailed Department of Public Safety Director Sandra Karsten to inform her that she had forwarded emails from the Post-Dispatch to Kyle Storm with the FBI in St. Louis.

“Kyle informed me that after reading the emails from the reporter that this incident is not an actual network intrusion,” she said.

Instead, she wrote, the FBI agent said the state’s database was “misconfigured,” which “allowed open source tools to be used to query data that should not be public.”

“Kyle said the FBI would speak to Gwen Carroll, the AUSA (Assistant U.S. Attorney), with the updated information from the emails to see if this still fit the crime and if she was still interested in prosecuting,” Robinson said.

Karsten forwarded the email to Aaron Willard, who is Parson’s chief of staff, as well as Vandeven, Jones and other administration officials.

Brian Gant, a cybersecurity instructor at Maryville University, said the FBI agent’s assessment suggests the state had used an old, vulnerable database format that exposed teachers’ private data. It would not have required a sophisticated attack to access, he said.

“These documents show there was no network intrusion,” St. Louis Post-Dispatch President and Publisher Ian Caso said. “As DESE initially acknowledged, the reporter should have been thanked for the responsible way he handled the matter and not chastised or investigated as a hacker.”

Jones, the governor’s spokeswoman, did not respond to a request for comment on Thursday.

As of Thursday, the Highway Patrol’s investigation was still active, Capt. John Hotz told the Post-Dispatch.

A political action committee supporting Parson, Uniting Missouri, used the episode to attack the Post-Dispatch, posting a video on Oct. 20, less than a week after the governor’s press conference. The video accused the paper of “playing politics.”

“Governor Parson is standing up to the fake news media,” the video said.

Austin Huguelet of the Post-Dispatch contributed to this report.

Get Government & Politics updates in your inbox!

* I understand and agree that registration on or use of this site constitutes agreement to its user agreement and privacy policy.

Related to this story

Get up-to-the-minute news sent straight to your device.

Topics

Breaking News

Trending

National News

News