A Missouri newspaper told the state about a security risk. Now it faces prosecution
Missouri Gov. Mike Parson is vowing to prosecute the staff of the St. Louis Post-Dispatch after the newspaper says it uncovered security vulnerabilities on a state agency website.
The governor is characterizing the paper's actions as a hacking that the state will investigate. He said it could cost taxpayers $50 million.
"Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them," Parson said at a news conference on Thursday.
The backstory is a little complicated, so stick with us. It starts with a website maintained by the state's Department of Elementary and Secondary Education (DESE).
The Post-Dispatch said in a story published Wednesday night that an unnamed reporter had discovered flaws on that website that made the Social Security numbers of teachers and other school staff "vulnerable to public exposure."
The issue involved a web application that allowed the public to search teacher certifications and credentials. The newspaper said that no private information was clearly visible or searchable, but teachers' Social Security numbers were contained in the HTML source code of those pages. More than 100,000 Social Security numbers were vulnerable, it added.
Newspaper staff reportedly alerted DESE of the findings and delayed publishing the story to give the agency time to protect teachers' personal information and enable the state to check other websites for similar risks.
DESE said it notified the Missouri Office of Administration's Information Technology Services Division to disable the problematic search tool as soon as the vulnerability was verified.
"The state is unaware of any misuse of individual information or even whether information was accessed inappropriately outside of this isolated incident," the Office of Administration said in a news release on Wednesday.
But that news release also placed the blame on the individual who had discovered the security flaw. It described the incident as a multistep process in which "a hacker took the records of at least three educators, decoded the HTML source code, and viewed the social security number (SSN) of those specific educators."
(HTML source code is publicly available to anyone with a web browser and can be accessed in just a few clicks.)
The Post-Dispatch disputed the agency's characterization. In reality, it said, its staff had discovered the vulnerability and then confirmed with three educators and a cybersecurity expert that the nine-digit numbers were in fact Social Security numbers.
It also pointed out that DESE did not acknowledge — in its news release and in a letter to teachers — the total scope of the vulnerability and the fact that thousands of Social Security numbers "had been available to anyone through DESE's own search engine."
Joseph Martineau, the Post-Dispatch's attorney, called DESE's deflection and accusation "unfounded" in a statement published by the paper.
"The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse," he wrote. "A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent."
A DESE spokesperson told NPR over email on Thursday that "we have every confidence that OA-ITSD has now protected educators' data to prevent further exposure." She directed NPR to the agency's earlier news release but declined to comment further, citing the investigation.
The governor wants to use state resources to investigate the newspaper
Parson convened a news conference on Thursday at which he vowed to prosecute the alleged hacking and then declined to take questions from reporters.
He said that his administration had notified the Cole County prosecutor and that the Missouri State Highway Patrol's digital forensic unit would also be opening an investigation into "all of those involved."
Those efforts could cost taxpayers as much as $50 million while diverting workers and resources from other state agencies, he emphasized. But he said the state is committed to "standing up against any and all perpetrators who attempt to steal personal information and harm Missourians." He also said the state would work to address those security concerns.
"This individual is not a victim," he said. "They were acting against a state agency to compromise teachers' personal information in an attempt to embarrass the state and sell headlines for their news outlet."
Martineau has not responded to NPR's request for comment regarding the governor's accusations.
Parson cited a state statute that defines the offense of tampering with computer data, arguing that nothing in DESE's website authorized this individual to access teacher data.
He also said that the statute allows his administration to bring a civil suit to recover damages against all of those involved and said emphatically that they refuse to let teachers be "a pawn in the news outlet's political vendetta."
"We apologize to the hardworking Missouri teachers who now have to wonder if their personal information was compromised for pathetical political gain by what is supposed to be one of Missouri's news outlets," Parson said, describing them as having been put in the middle.
The Missouri State Teachers Association has not commented publicly on the governor's remarks but released a statement on Thursday afternoon saying that the DESE website's vulnerabilities have eroded educators' confidence and calling on the state to "deploy every resource necessary" to keep their personal information secure.
This is not the first time that Parson has lashed out at the news media during the coronavirus pandemic. As The Kansas City Star put it, he has "bristled at unfavorable reporting and singled out The Star, the Post-Dispatch and the Missouri Independent for criticism over their reporting on COVID-19."
It's sparking concerns over press freedom
Local and national critics are expressing their support for the newspaper and its right to free speech.
Matt Bailey, the digital freedom program director with PEN America, called the governor's characterization of the reporter's actions as "an affront to democracy, the free press, and the public interest" in a statement provided to NPR.
"And it comes at a time when opportunistic political leaders seek to demonize the press," he added. "Such craven acts merely serve the short-term interests of the governor; in the long term, they chip away at an already-precarious information ecosystem, where a growing number of people distrust credible accountability reporting."
He added that the newspaper and its reporters acted responsibly in disclosing and then reporting on the security issues, saying they had done so in line with legal and ethical norms.
"Missouri Governor Mike Parson's threats of legal action against the St. Louis Post-Dispatch and its reporter for pointing out a security flaw on a state website are absurd," Katherine Jacobsen, the Committee to Protect Journalists' U.S. and Canada program coordinator, said in a statement. "Using journalists as political scapegoats by casting routine research as 'hacking' is a poor attempt to divert public attention from the government's own security failing."
Jean Maneke, an attorney for the Missouri Press Association, told The Associated Press that she doubts any judge "would allow this to proceed very far."
She said the fact that the newspaper warned the state about the security risk indicates it was not acting with any criminal or malicious intent.
Democratic state Rep. Crystal Quade, the House minority leader, released a statement on Thursday saying Parson should thank the newspaper, not threaten it.
"In the finest tradition of public interest journalism, the Post-Dispatch discovered a problem — one publicly discernable to anyone who bothered to look; it verified the problem with experts; and it brought the problem to the attention of state officials for remedial action," she wrote. "The governor should direct his anger towards the failure of state government to keep its technology secure and up to date and work to fix the problem, not threaten journalists with prosecution for uncovering those failures."
Copyright 2021 NPR. To see more, visit https://www.npr.org.