Missouri Threatens to Sue a Reporter Who Flagged a Security Flaw

The governor warned that he would take legal action against a journalist who identified a vulnerability that exposed teachers’ Social Security numbers.
Governor Mike Parson
The St. Louis Post-Dispatch seems to have done exactly what ethical security researchers do when finding a bug: give the organization time to fix it before going public.Photograph: Jacob Moscovitch/Getty Images

Missouri governor Mike Parson on Thursday threatened to prosecute and seek civil damages from a St. Louis Post-Dispatch journalist who identified a security flaw that exposed the Social Security numbers of teachers and other school employees, claiming that the journalist is a “hacker” and that the newspaper's reporting was nothing more than a “political vendetta” and “an attempt to embarrass the state and sell headlines for their news outlet.” The Republican governor also vowed to hold the Post-Dispatch “accountable” for the supposed crime of helping the state find and fix a security vulnerability that could have harmed teachers.

The issue was discovered in a website maintained by the state’s Department of Elementary and Secondary Education (DESE). Despite Governor Parson's surprising description of a security report that normally wouldn't be particularly controversial, it appears that the Post-Dispatch handled the problem in a way that prevented harm to school employees while encouraging the state to close what one security professor called a "mind-boggling" vulnerability. Josh Renaud, a Post-Dispatch web developer who also writes articles, wrote in a report published Wednesday that more than 100,000 Social Security numbers were vulnerable "in a web application that allowed the public to search teacher certifications and credentials." The Social Security numbers of school administrators and counselors were also vulnerable.

"Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers' Social Security numbers were contained in the HTML source code of the pages involved," the report said.

The Post-Dispatch seems to have done exactly what ethical security researchers generally do in these situations: give the organization with the vulnerability time to close the hole before making it public.

"The newspaper delayed publishing this report to give the department time to take steps to protect teachers' private information and to allow the state to ensure no other agencies' web applications contained similar vulnerabilities," the article said. The news report was published one day after the "department removed the affected pages from its website."

As of this writing, the DESE's educator-credentials checker was "down for maintenance."

Governor: Journalist Tried to ‘Harm Missourians’

Parson described the journalist as a "perpetrator" who "took the records of at least three educators, decoded the HTML source code, and viewed the Social Security number of those specific educators" in an "attempt to steal personal information and harm Missourians."

Major web browsers include options such as "view source" or "view page source" to look at a webpage's HTML, so anything in that code is easily available. The initial Post-Dispatch article didn't go into detail about how the Social Security numbers were obtained from HTML source code, but a follow-up article about Parson's legal threats Thursday said that the "teachers' Social Security numbers were present in the publicly visible HTML source code of the pages involved." The numbers weren't available in plain text but were easily converted, the Post-Dispatch continued:

The data on DESE's website was encoded but not encrypted, said Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis—and that's a key distinction. No one can view encrypted data without the specific decryption key used to hide the data. But encoded just means the data is in a different format and can be relatively easily decoded and viewed.

"Anybody who knows anything about development—and the bad guys are way ahead—can easily decode that data," Khan said on Thursday.

Governor Notified Prosecutor of ‘Crime Against Teachers’

Parson spoke Thursday (see video) at a "press conference regarding [the] data vulnerability and [the] state's plan to hold perpetrators accountable," and he posted a condensed version of his remarks on Facebook.

"It is unlawful to access encoded data and systems in order to examine other people's personal information, and we are coordinating state resources to respond and utilize all legal methods available. My administration has notified the Cole County prosecutor of this matter. The Missouri State Highway Patrol's Digital Forensic Unit will also be conducting an investigation of all of those involved," he said.

Parson went on to say that state law "allows us to bring a civil suit to recover damages against all those involved." He cited Missouri code 569.095, which classifies "tampering with computer data" as a class A misdemeanor.

Parson continued:

Nothing on DESE's website gave permission or authorization for this individual to access teacher data. This individual is not a victim. They were acting against a state agency to compromise teachers' personal information in an attempt to embarrass the state and sell headlines for their news outlet.

We will not let this crime against Missouri teachers go unpunished, and we refuse to let them be a pawn in the news outlet's political vendetta. Not only are we going to hold this individual accountable but we will also be holding accountable all those who aided this individual and the media corporation that employs them.

Parson further claimed that the incident "may cost Missouri taxpayers up to $50 million and divert workers and resources from other state agencies," though that number might be inflated by Parson trying to turn a simple report of a security vulnerability into a criminal hacking case.

Blaming the Messenger

Despite focusing at length on the messenger instead of the problem caused by the state's poor security practices, Parson then said that "the state is owning its part" by fixing the problem and strengthening its security. But he quickly pivoted back to blaming the news organization, saying:

We will not rest until we clearly understand the intentions of this individual and why they were targeting Missouri teachers. What they did is beyond unethical. We apologize to the hard-working Missouri teachers who now have to wonder if their personal information was compromised for pathetic political gain by what is supposed to be one of Missouri's news outlets. We value our teachers and it is unfortunate that they have been put in the middle of this. But rest assured, we will not stop until we get them the assistance they need, ensure their information is secure, and get justice by holding those responsible accountable.

Immediately after finishing that statement, Parson walked away from the podium and took no questions. Parson's threats got the attention of the Missouri Independent, which published a story titled "Missouri Governor Vows Criminal Prosecution of Reporter Who Found Flaw in State Website."

The blame game began even before Parson's press conference, as Wednesday's Post-Dispatch report said:

In the letter to teachers, Education Commissioner Margie Vandeven said "an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators."

In reality, the Post-Dispatch discovered the vulnerability and confirmed that the nine-digit numbers were indeed Social Security numbers. The paper then told the department that it had confirmed the vulnerability with three educators and a cybersecurity expert.

The Post-Dispatch story included the paper's attorney's response to the state's accusations.

"The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse," Post-Dispatch attorney Joseph Martineau wrote in the statement. "A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring to this as 'hacking' is unfounded. Thankfully, these failures were discovered."

Parson's definition of "hacker" is quite broad, as he claimed that "a hacker is someone who gains unauthorized access to information or content."

"Under Missouri law, a person commits the offense of tampering with computer data if he or she knowingly and without authorization accesses, takes, and examines personal information without permission," Parson said. "This data was not freely available and had to be converted and decoded in order to be revealed."

A ‘Mind-Boggling’ Flaw

The Post-Dispatch also spoke with Professor Khan for its initial story on the vulnerability. "We have known about this type of flaw for at least 10-12 years, if not more," Khan told the newspaper in an email. "The fact that this type of vulnerability is still present in the DESE web application is mind-boggling!"

"Unfortunately, these types of flaws and poor design choices are more common than we'd like," Khan also wrote. "Local and state governments across the country are often still using applications developed many years ago and potentially containing serious security flaws."

While the Post-Dispatch apparently confirmed the flaw by looking at just a few employees' records, the article said that "state pay records and other data" indicate that "more than 100,000 Social Security numbers were vulnerable."

Local teacher's union spokesperson Byron Clemens told the Post-Dispatch, "We're pretty shocked to hear" about the vulnerability exposing teachers' personal data. Clemens "praised DESE for taking quick action to remove the affected website, but cautioned, 'We don't know if anybody's been harmed yet.'"

Thursday's follow-up story in the Post-Dispatch pointed out that Parson "has often tangled with the state's media outlets over coverage he dislikes" and that, after this morning's press conference, he "didn't respond to questions that were yelled at him as he retreated into his office."

Missouri Press Association attorney Jean Maneke was quoted as saying, "There is not a solid basis to suggest the Post-Dispatch did anything wrong. The story simply points out that government dropped the ball. It is to the public's benefit that this information be out there to protect sensitive information." Maneke also said that Parson's tactic of "threaten[ing] legal action even when there is no basis for it... was often used by the Trump administration to intimidate reporters." She added, "I am not aware of any time a public official has sued a member of the media for something like this and had a successful lawsuit."

Missouri House minority leader Crystal Quade (D-Springfield) said that "instead of falsely blaming the St. Louis Post-Dispatch for a 'hacking' that never happened, Governor Parson should thank the paper for uncovering a serious flaw in a state website that exposed the personal information of more than 100,000 Missouri educators."

One Republican state legislator, Representative Tony Lovasco of St. Charles County, also criticized Parson. "It's clear the governor's office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities. Journalists responsibly sounding an alarm on data privacy is not criminal hacking," Lovasco wrote on Twitter.

Post-Dispatch publisher Ian Caso said, "We stand by our reporting and our reporter who did everything right. It's regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website's problem and brought it to DESE's attention."

In a statement on its website, the state government said it "is unaware of any misuse of individual information or even whether information was accessed inappropriately outside of this isolated incident." Like the governor, the DESE described the person who reported the vulnerability as a "hacker" instead of as a newspaper journalist.

The statement also provides some information on the web application that exposed Social Security numbers but doesn't say exactly how the entire nine-digit numbers were exposed in HTML. "In the process of verifying an educator's information, the last four digits of an educator's SSN can be used in the certification search tool as a piece of unique information to identify the appropriate educator," the statement said. "If educators have the same name, for example, LEAs [local education agencies] can use the last four digits of the educator's SSN to be sure the LEA is viewing the correct information for the appropriate educator."

The statement said the vulnerability did not allow all 100,000 Social Security numbers to be accessed at once and that they were available only "on an individual basis."

The search tool was launched in 2011. "Since then, OA-ITSD [Office of Administration Information Technology Services Division] has done a number of vulnerability scans on its web application that contains this information, and those scans did not yield any concerns or potential threats," the state said. But after the flaw was reported, the "educator certification search tool was disabled immediately by removing public access to the system and updating the code to repair the vulnerability."

The DESE said it is still "in the early stages of investigation."

This story originally appeared on Ars Technica.


More Great WIRED Stories