IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Mo. Gov. Condemns Newspaper for Story on Bad Cybersecurity

Gov. Mike Parson intends to prosecute the St. Louis Post-Dispatch after the newspaper published a report detailing how Social Security numbers could be easily accessed through a state agency website.

Missouri Gov. Mike Parson - use once
RozenskiP/Shutterstock
(TNS) — Missouri Gov. Mike Parson on Thursday announced he had referred the St. Louis Post-Dispatch and its reporters for criminal prosecution after the newspaper revealed a security vulnerability it discovered on a state agency’s website.

Parson delivered a thunderous condemnation of the newspaper’s examination of three Social Security numbers that could have been publicly accessible from a website maintained by the Department of Elementary and Secondary Education, or DESE.

The announcement marked an extraordinary attack on one of Missouri’s major newspapers and a broadside at the newsgathering process at a time when former President Donald Trump and other Republicans have demonized the news media and labeled accurate reporting “fake news.”

The Post-Dispatch has said it promptly informed DESE after discovering the vulnerability and delayed publication to give the state time to fix the problem.

“This individual is not a victim,” Parson said. “They were acting against the state agency to compromise teachers in an attempt to embarrass the state and sell headlines for their news outlet.”

Parson’s decision to lash out marks a new low in his relationship with the news media, which has often been rocky during the pandemic. He faced reporting over no-bid contracts, his refusal to impose mask mandates and early stumbles in the rollout of the vaccine. He has bristled at unfavorable reporting and singled out The Star, the Post-Dispatch and the Missouri Independent for criticism over their reporting on COVID-19.

During a hastily called appearance Thursday morning, Parson accused the Post-Dispatch of being motivated by a “political vendetta.” He didn’t take questions and ignored shouted inquiries about how finding the vulnerability on a publicly viewable website to a crime.

He blamed the newspaper for spurring an investigation that he said would cost Missouri taxpayers “as much as $50 million.” Asked to substantiate that claim, his spokeswoman Kelli Jones said the state would do so “eventually.”

Parson said his office referred the matter to the Cole County Prosecutor’s Office and the Missouri State Highway Patrol’s digital forensic unit. He also mentioned the possibility of civil lawsuits against the paper.

A story published Wednesday night by the Post-Dispatch described how more than 100,000 Social Security numbers of teachers and other education department employees could have been publicly accessible because of a vulnerability on a website maintained by DESE.

“The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse,” the newspaper’s attorney, Joseph Martineau, said in a statement for its story. “A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent.

“For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”

The Post-Dispatch reported that it found that the Social Security numbers of teachers were contained in the HTML source code of pages linked to a tool that allows the public to search teacher certifications and credentials. The newspaper said it delayed publication of the story to give DESE time to address the vulnerability and search for weaknesses on other agency sites.

HTML source code is publicly available to anyone with a web browser and essentially acts as the infrastructure underneath what someone sees when they visit a website.

But DESE labeled the individual who discovered the vulnerability a “hacker” who took the records of at least three educators. The Post-Dispatch reported that after it confirmed the numbers were Social Security numbers, it informed the department.

Parson called the discovery an unauthorized access of “encoded” data that “had to be converted and decoded in order to be revealed.”

The individual wasn’t identified in the story, but other Post-Dispatch employees have named him as Josh Renaud, who wrote the article.

©2021 The Kansas City Star, Distributed by Tribune Content Agency, LLC.