Jacob Moscovitch / Getty Images
Missouri Governor Mike Parson has vowed to prosecute the staff of Louis Post-Dispatch after the newspaper said it had discovered security vulnerabilities on a state agency website.
The governor recognized the incident as a hacking, and said Thursday that the state would investigate it at a possible $ 50 million cost to taxpayers.
“Not only will we hold this individual accountable but we will also be accountable to all those who helped this individual and the media corporation that uses them,” Parson said at a press conference.
The backstory is a bit complicated, so stay with us. It starts with a website maintained by the state Department of Elementary and Secondary Education.
Ang Post-Dispatch told a story published Wednesday night that an unnamed reporter discovered shortcomings on that website that made “the number of teachers and other school staff vulnerable to public exposure.”
The issue involved a web application that allowed the public to search for teacher certifications and credentials. The newspaper said there was no private information clearly visible or searchable, but the teachers ’Social Security numbers were contained in the HTML source code of those pages. More than 100,000 Social Security numbers are weak, it added.
The newspaper staff reported DESE on the findings and delayed the publication of the story, to give the agency time to protect teachers ’personal information and enable the state to check other websites for similar risks.
DESE said it notified the Missouri Office of Information Technology Services Administration to disable the problematic search tool as soon as the vulnerability was verified.
“The state is not aware of any misuse of individual information or even if the information was accessed inappropriately outside of an isolated incident,” it said. in a press release on Wednesday.
But that statement also placed the blame on the individual who discovered the security flaw. They described it as a multi-step process in which “a hacker took the records of at least three instructors, decoded the HTML source code, and viewed the social security number (SSN) of the particular that educator. ”
(The HTML source code is publicly available to anyone with a web browser, and can be accessed with just a few clicks.)
Ang Post-Dispatch disputing the nature of the agency. In reality, it said, its staff discovered the vulnerability and then confirmed to three educators and cybersecurity experts that the nine -digit numbers were in fact Social Security numbers.
It also pointed out that DESE did not acknowledge – in its press release and in a letter to teachers – the total scope of the vulnerability and the fact that thousands of “Social Security numbers” are available to anyone through its own search engine. DESE. “
Joseph Martineau, the Post-Dispatchthe lawyer, who called DESE’s diversion and accusation “baseless” in a statement published by the paper.
“The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse,” he wrote. “A hacker is someone who violates computer security with malicious or criminal intent. Here, there is no breach of any firewall or security and certainly no malicious intent.”
A DESE spokesperson told NPR via email on Thursday that “we have confidence that OA-ITSD now protects educators’ data to prevent further exposure.” He directed NPR in an earlier agency statement but declined to comment, citing the ongoing investigation.
The governor wants to use state resources to investigate the newspaper
Parson called a press conference on Thursday, at which he vowed to prosecute the alleged hacking and then refused to take questions from reporters.
He said his administration has notified the Cole County prosecutor, and that the Missouri State Highway Digital State Forensic Unit will also open an investigation into “everyone involved.”
Those efforts could cost taxpayers up to $ 50 million while moving workers and resources from other agencies to the stage, given where he. But he said the state is committed to “taking a stand against any and all perpetrators who attempt to steal personal information and hurt Missourians.” He also said the state will work to address security concerns.
“This individual is not a victim,” he said. “They are acting against the state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their outlet.”
Martineau did not respond to NPR’s request for comment about the governor’s accusations.
Parson mentioned a state law it defines the offense of tampering with computer data, arguing that nothing on the DESE website gives this individual permission to access teacher data.
He also said the law allows his administration to bring a civil lawsuit to recover damages against all those involved, and said emphatically that they refused to let the teachers be “a guard to the outlet’s political visitor. of the news. ”
“We apologize to the hard -working Missouri teachers who are now wondering if their personal information has been compromised for the political pathetical that has been captured by what should have been one of Missouri’s newsletters,” Parson said, describing them as placed in the middle.
The Missouri State Teachers Association did not comment publicly on the governor’s remarks, but issued a statement on Thursday afternoon claiming the vulnerabilities of the DESE website had destroyed the confidence of educators and called on the state to “deploy every resource necessary” to keep their personal information safe.
This is not the first time Parson has beaten the news media during the pandemic. As The Star of Kansas City put it, he “bristled at the unpleasant reporting and singular The Star, the Post-Dispatch and the Independent of Missouri for criticism of their reporting on COVID-19. ”
This raises concerns over freedom of the press
Local and national critics have expressed their support for the newspaper and its right to free speech.
Matt Bailey, director of the digital Freedom program with PEN America, called the governor’s recognition of the reporter’s actions as “an insult to democracy, free journalism, and the public interest” in a statement given to NPR .
“And it comes at a time when opportunistic political leaders seek to demonize the press,” he added. “Such greed only serves the governor’s short-term interests; in the long run, they move away from an uncertain information ecosystem, where a growing number of people do not trust the credibility of accountability reporting. . ”
He added that the newspaper and its reporters acted responsibly in disclosing and then reporting on security issues, saying they did so in accordance with legal and ethical standards.
“The threats of legal action by Governor Mike Parson against the St. Louis Post-Dispatch and its reporter in identifying a security flaw on a state website are absurd,” said Katherine Jacobsen, the Committee to Protect Journalists’ US and Canada program coordinator, said in a statement. “Using journalists as political scapegoats by placing regular research as ‘hacking’ is a vicious attempt to divert public attention from the government’s own failed security.”
Jean Maneke, an attorney for the Missouri Press Association, told the Associated Press that he doubted any judge “would allow it to go so far.”
He said the fact that the newspaper warned the state about the security risk indicates that it was not acting with any criminal or malicious intent.
The Democratic State Rep. Crystal Quade, the minority leader of the House, issued a statement on Thursday saying Parson should thank the newspaper, don’t threaten it.
“In the best tradition of public interest journalism, the Post-Dispatch discovered a problem-a public visible to anyone who bothered to look; it proved the problem to experts; and it brought the problem to the attention of officials. of the state for remedial action, “he wrote. “The governor should direct his anger toward the state government’s failure to keep its technology safe and up-to-date and work to fix the problem, not threaten journalists with prosecution for detecting those failures.”