Missouri's governor vows to prosecute a reporter who told the state about a data security risk
Missouri Gov. Mike Parson on Thursday launched a criminal investigation of a St. Louis Post-Dispatch reporter who exposed flaws on a state website that left more than 100,000 Social Security numbers of teachers, administrators and counselors vulnerable.
The investigation comes one day after the paper published its story and two days after the paper alerted the state of the vulnerabilities and held off running it so the state could protect the website.
The investigation begins today, and Parson said the investigation could cost taxpayers as much as $50 million but did not detail those costs or take questions at a news conference Thursday.
During the media briefing, Parson said that he is sending information to the Cole County prosecutor along with the Missouri State Highway Patrol’s Digital Forensic Unit and that the reporter acted against the state agency in “an attempt to embarrass the state and sell headlines.”
“The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so,” Parson said.
A statement from the Post-Dispatch said the reporter did the responsible thing by reporting the findings to the education department so it could then prevent misuse of the vulnerable information.
“A hacker is someone who subverts computer security with malicious or criminal intent,” said Joe Martineau, an attorney for the paper. “Here, there was no breach of any firewall or security and certainly no malicious intent.”
Parson said because the reporter who found this vulnerability did not have the authorization to access or decode the data, the actions are defined as a hack. He said that in addition to criminal charges, a civil suit could be possible.
According to the Post-Dispatch report, it discovered the vulnerability in a web application that allowed the searching of teacher certification and credentials. Social Security numbers were found in the HTML source code in the involved pages.
The paper said it delayed publishing to give the education department “time to protect teachers’ private information.”
The department has since removed the affected pages from its website as a result of the paper’s investigation.
Parson called the actions “a crime against teachers” and said the state would “hold accountable” not only the reporter who accessed the information but those who aided them, along with the paper as well.
Concerning the vulnerability of the website, Parson said these records were only available on an individual basis and were unable to be decoded all at once.
He said the state is working on strengthening the security of its web pages.
“We are addressing areas in which we need to do better than we have done before,” Parson said.
Follow Sarah on Twitter: @Sarahkellogg
Copyright 2021 St. Louis Public Radio. To see more, visit St. Louis Public Radio.