JEFFERSON CITY — Gov. Mike Parson lashed out at the St. Louis Post-Dispatch on Thursday, two days after the newspaper informed the state of a data risk that left 100,000 Social Security numbers vulnerable to public disclosure.
Parson said at a news conference that the Cole County prosecutor and the Missouri Highway Patrol would investigate the matter. He said the news outlet that uncovered and reported the vulnerability would be held accountable but didn’t mention action against the state officials who maintained a faulty system.
“We are coordinating state resources to respond and utilize all legal methods available,” Parson said. “My administration has notified the Cole County prosecutor of this matter. The Missouri State Highway Patrol’s digital forensic unit will also be conducting an investigation of all of those involved.”
The Post-Dispatch reported Wednesday on a significant security flaw on a Department of Elementary and Secondary Education website.
A web application that allowed the public to look up teacher certifications and credentials contained the vulnerability, the newspaper reported.
No private information was clearly visible. The Social Security numbers for school teachers, administrators and counselors were present in the HTML source code of the publicly available pages involved.
The newspaper reported the flaw to DESE on Tuesday and waited to publish any report until the information was removed from the state website.
The Department of Elementary and Secondary Education released statements Wednesday describing a Post-Dispatch journalist as a “hacker.”
On Thursday, Parson said the “individual” who alerted DESE was attempting to “embarrass the state and sell headlines for their news outlet.”
The governor continued, “We will not let this crime against Missouri teachers go unpunished. And we refuse to let them be a pawn in the news outlet’s political vendetta. Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them.”
Parson, who has often tangled with the state’s media outlets over coverage he dislikes, did not take any questions at the news conference. He also didn’t respond to questions that were yelled at him as he retreated into his office.
“This incident alone may cost Missouri taxpayers as much as $50 million and divert workers and resources from other state agencies,” Parson said. A spokeswoman for the governor did not immediately elaborate after the news conference.
He was flanked at the appearance by Sandra Karsten, director of the Department of Public Safety, and Capt. John Hotz of the Missouri State Highway Patrol.
Parson said the reporter had taken multiple steps to discover the potential breach and cited a state cybersecurity law as he threatened legal action.
“This individual did not have permission to do what he did,” Parson said.
The data on DESE’s website was encoded but not encrypted, said Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis — and that’s a key distinction.
No one can view encrypted data without the specific decryption key used to hide the data. But encoded just means the data is in a different format, and can be relatively easily decoded and viewed.
“Anybody who knows anything about development — and the bad guys are way ahead — can easily decode that data,” Khan said on Thursday.
But the bigger problem, Khan said, is that the sensitive data was there at all.
The state auditor’s office has expressed concern about education-related data collection practices. A 2015 audit found that DESE was unnecessarily storing students’ Social Security numbers and other personally identifiable information in its Missouri Student Information System. The audit urged the department to stop that practice and to create a comprehensive policy for responding to data breaches, among other recommendations. The department complied, but clearly at least one other system contained an undetected vulnerability.
Post-Dispatch Publisher Ian Caso said Thursday, “We stand by our reporting and our reporter who did everything right. It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to DESE’s attention.”
The newspaper’s attorney, Joseph Martineau, of Lewis Rice, said in a statement Wednesday, “The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse.”
Martineau continued, “A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent.
“For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”
Attorney Jean Maneke of the Missouri Press Association said Parson’s actions appear more political than legal.
“Government officials often threaten legal action even when there is no basis for it. It was often used by the Trump administration to intimidate reporters,” Maneke said. “I am not aware of any time a public official has sued a member of the media for something like this and had a successful lawsuit.”
Maneke said the report is an example of public service journalism.
“There is not a solid basis to suggest the Post-Dispatch did anything wrong. The story simply points out that government dropped the ball. It is to the public’s benefit that this information be out there to protect sensitive information,” Maneke said.
Auditor Nicole Galloway, a Democrat who was defeated by Parson in the 2020 gubernatorial election, said the onus is on government to protect its citizens.
“State agencies that collect sensitive, personally identifiable information have an obligation to carefully evaluate whether they need to collect it in the first place and then how they will protect it,” Galloway said.
In a statement, House Minority Leader Crystal Quade, D-Springfield, blasted Parson for describing the incident as a hacking.
“Instead of falsely blaming the St. Louis Post-Dispatch for a ‘hacking’ that never happened, Governor Parson should thank the paper for uncovering a serious flaw in a state website that exposed the personal information of more than 100,000 Missouri educators,” Quade said.
“The governor should direct his anger towards the failure of state government to keep its technology secure and up to date and to work to fix the problem, not threaten journalists with prosecution for uncovering those failures,” she said.
Attorney Elad Gross, who won a state Supreme Court case in June after suing Parson over Sunshine Law provisions, called the governor’s remarks “ridiculous and scary” in terms of blaming the Post-Dispatch for the state’s security flub.
Gross cited Missouri law that reads “no state entity shall publicly disclose any Social Security number of a living person unless such disclosure is permitted by federal law.”
“If any investigation needs to be done, it’s of the state entity that allowed these numbers to be out there,” said Gross, a St. Louis Democrat who ran for attorney general last year.
A spokesman for the state teachers’ union said protecting educators’ information should be the top priority of any investigation.
“Move past blaming anyone for exposing a problem and protect the people who were vulnerable to it,” said Mark Jones of the Missouri National Education Association.
Rep. Tony Lovasco, R-St. Charles County, who said he has two decades of experience in IT sales and has coded as a hobby, said Parson’s office had “a fundamental misunderstanding” of the situation.
“It’s clear the Governor’s office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities,” he tweeted. “Journalists responsibly sounding an alarm on data privacy is not criminal hacking.”
The Post-Dispatch discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials.
In this Series
- 12 updates