Missouri Gov. Mike Parson wants to prosecute a journalist who warned the state that a government website left school teachers and administrators' Social Security numbers exposed.
Parson called St. Louis Post-Dispatch reporter Josh Renaud a “hacker” and vowed to seek criminal prosecution at a press conference on Thursday. Renaud's "crime?" Clicking "view source" on a publicly available webpage.
“The state does not take this matter lightly,” Parson said, according to the Missouri Independent. “This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians.”
Parson said he referred the case to the Cole County prosecutor and asked the Missouri State Highway Patrol to investigate as well.
On Wednesday, the St. Louis Post-Dispatch reported that a flaw in the state's Department of Elementary and Secondary Education left exposed the SSNs of the department employees, including teachers, administrators, and counselors. Renaud reported that the SSNs were visible simply by viewing the HTML source code of the vulnerable pages, something that anyone can do with two clicks on any modern browser.
The office of Gov. Parson declined to comment, and referred us to a recording of Parson’s press conference.
The way the St. Louis Post-Dispatch and Renaud handled the situation seems like a textbook example of ethical disclosure of a bug. The paper reported having found the bug in the web app set up to allow the public to search teacher certifications and credentials. More than 100,000 SSNs were exposed, according to the paper.
Once the paper alerted the state government, the department fixed the bug on Tuesday, and the paper published its story on Wednesday, once there were no risks for the teachers whose SSNs were exposed. Parson's comments are also a textbook example of government officials seemingly not having any clue how technology works, and vilifying people who do ethical security research as criminals, rather than simply thanking them for doing a public service that makes us all safer.
"The newspaper delayed publishing this report to give the department time to take steps to protect teachers’ private information, and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities," the St. Louis Post-Dispatch wrote in its article.
A spokesperson for the St. Louis Post-Dispatch shared the following statement:
“The reporter did the responsible thing by reporting his findings to the Department of Elementary and Secondary Education (DESE) so that the state could act to prevent disclosure and misuse,” the statement read. “A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”
This story has been updated to include the statement from the St. Louis Post-Dispatch spokesperson.