JEFFERSON CITY — Gov. Mike Parson on Wednesday expressed his opinion the Cole County prosecuting attorney would bring charges in the case of a Post-Dispatch reporter who alerted the state to a significant data vulnerability.
“I don’t think that’ll be the case,” Parson said when asked what he would do if the prosecutor didn’t pursue the case. “That’s up to the prosecutor; that’s his job to do.”
Parson referenced a state statute on computer tampering, which says a person commits the offense if they “knowingly and without authorization or without reasonable grounds to believe that he has such authorization” modifies or destroys data, discloses or takes data, or accesses a computer network and intentionally examines personal information.
“If somebody picks your lock on your house — for whatever reason, it’s not a good lock, it’s a cheap lock or whatever problem you might have — they do not have the right to go into your house and take anything that belongs to you,” Parson said.
People are also reading…
A Post-Dispatch reporter in October alerted the state to a data issue contained on a Department of Elementary and Secondary Education website that left Social Security numbers of educators vulnerable to public disclosure.
After alerting the state, the newspaper didn’t publish its report until after the officials moved to protect the vulnerable information. The newspaper did not disclose any personal information.
A web application that allowed the public to look up teacher certifications and credentials contained the vulnerability, the newspaper reported.
While no private information was clearly visible, the Social Security numbers for school teachers, administrators and counselors were present and accessible in the HTML source code of the publicly available pages involved.
Records obtained by the Post-Dispatch showed Education Commissioner Margie Vandeven initially planned to thank the reporter who uncovered the vulnerability.
They also showed that a state cybersecurity specialist informed Sandra Karsten, the director of the Department of Public Safety, that an FBI agent said the incident “is not an actual network intrusion.”
Instead, the specialist wrote, the FBI agent said the state’s database was “misconfigured,” which “allowed open source tools to be used to query data that should not be public.”
“These documents show there was no network intrusion,” St. Louis Post-Dispatch President and Publisher Ian Caso said this month. “As DESE initially acknowledged, the reporter should have been thanked for the responsible way he handled the matter and not chastised or investigated as a hacker.”
But Parson, who has often tangled with news outlets over reports he doesn’t like, announced a criminal investigation into the reporter and the Post-Dispatch.
Capt. John Hotz, spokesman for the Missouri State Highway Patrol, said Monday the agency had finished its probe of the Post-Dispatch and had turned the case over the Cole County Prosecuting Attorney Locke Thompson.
Thompson declined to comment on Monday and didn’t share a copy of the patrol’s investigative report.
In this Series
- 18 updates