A reporter for the St. Louis Post-Dispatch recently discovered that teachers’ Social Security numbers and other private information were available in the source code of a public website hosted by the Missouri government. He did the right thing by notifying the paper, which then notified the state, even giving it time to take the site down before publishing a story on the vulnerability.
The reporter has now been accused of “hacking” by the Republican Governor Mike Parson, who wants to prosecute him.
Reporter Josh Renaud was browsing a Department of Elementary and Secondary Education web application that lets users search for teachers’ certifications and credentials when he looked at the site’s HTML source code (something that usually requires zero hacking skills, only the use of a right-click). In the source code, he found sensitive data belonging to the state’s teachers, including Social Security numbers and other private information.
The paper then consulted with educators and a cybersecurity expert, Shaji Khan. Khan told the Post-Dispatch it was “mind-boggling” that a state web application had such a security vulnerability. The paper informed the state of the security flaw on Tuesday.
On Wednesday, the department notified teachers that their data had been exposed. The department wrote in a letter that “an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the Social Security number (SSN) of those specific educators.”
“In reality,” Renaud wrote in the Post-Dispatch, contradicting the state’s account, “the Post-Dispatch discovered the vulnerability and confirmed that the nine-digit numbers were indeed Social Security numbers. The paper then told the department that it had confirmed the vulnerability with three educators and a cybersecurity expert.”
At a press conference on Thursday, Governor Parson, called Renaud a “hacker” and accused him of trying to “steal” personal data.
“This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians,” the governor said. “It is unlawful to access encoded data and systems in order to examine other people’s personal information.”
Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.
We notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit will investigate. pic.twitter.com/2hkZNI1wXE
— Governor Mike Parson (@GovParsonMO) October 14, 2021
Parson has referred the matter to the Cole County Prosecutor and the Missouri State Highway Patrol for investigation and promised “swift justice.”
“The state is committed to bring to justice anyone who hacked our system, and anyone who aided or encouraged them,” Parson said.
But the Post-Dispatch denied Parson’s claims in a statement from the paper’s attorney, Joseph Martineau. “The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse,” Martineau said in a written statement. “A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent.”
“For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded,” he added. “Thankfully, these failures were discovered.”