Missouri governor slams newspaper for uncovering state data security breach
JEFFERSON CITY, Mo. (AP) – Republican Gov. Mike Parson on Thursday condemned one of Missouri’s largest newspapers for revealing a flaw in a state database that gave the public access to thousands teachers’ social security numbers, although the newspaper refrained from reporting the flaw until the state could correct it.
Parson told reporters outside his Capitol Hill office that the Missouri State Highway Patrol’s digital forensic unit would conduct an investigation “into everyone involved” and that his administration had spoken to the Cole County District Attorney, who includes the state capital, Jefferson City. He did not say what he meant by “involved” or whether investigators would examine whether the St. Louis Post-Dispatch broke the law during its data vulnerability report.
The Post-Dispatch announced the news of the security breach on Wednesday. The newspaper said it discovered the vulnerability in a web application that allowed the public to search for teacher certifications and credentials.
The Ministry of Primary and Secondary Education removed the pages from its website on Tuesday after being made aware of the issue by the Post-Dispatch, which said it had given the state time to resolve the issue before publish his article.
The Post-Dispatch estimated that more than 100,000 social security numbers were vulnerable, based on payroll records and other data. He found that the social security numbers of school workers were included in the HTML source code of the affected pages.
“The state is not aware of any misuse of individual information or even if information was accessed inappropriately outside of this isolated incident,” DESE said in a press release.
Although the Post-Dispatch alerted the agency to the problem and withheld the story, the agency’s press release called the person who discovered the vulnerability a “hacker” – an apparent reference to the reporter – who ” took the tapes of at least three educators. âThe agency did not specify what it meant byâ took the records âand declined to discuss the matter further than what it said in its press release when contacted by The Associated Press.
Source codes are accessible by right clicking on public web pages.
The newspaper’s chairman and editor, Ian Caso, said in a statement that the Post-Dispatch is sticking to the story and the reporter, who he says “did everything right”.
âIt is unfortunate that the governor chose to blame journalists who discovered the website problem and brought it to the attention of the Ministry of Primary and Secondary Education,â Caso said.
Parson also suggested that the reporter had somehow broken the law.
“This individual is not a victim,” Parson told reporters. âThey were acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell titles for their media. We will not let this crime against teachers in Missouri go unpunished. “
Peter Swire, cyber law expert and professor in the School of Cyber ââSecurity and Privacy at the Georgia Institute of Technology, said that reporting security vulnerabilities on publicly accessible websites is a “public service” and “n ‘is clearly not criminal under federal law’.
âRight clicking does not count as a criminal hack,â Swire said.
Joseph Martineau, a lawyer for Post-Dispatch, said in a statement that the journalist “did the responsible thing in reporting his findings to DESE so the state could act to prevent disclosure and misuse. A hacker is someone who subverts computer security with malicious or criminal intent. Here there has been no firewall or security breach and certainly no malicious intent. “
“For DESE, deflecting its failures by calling it ‘hacking’ is unfounded,” Martineau said.
Missouri Press Association attorney Jean Maneke said she doubted a judge “would allow this to go very far.”
âIt is clear that the Post-Dispatch has warned of the state of this problem,â Maneke said. âThere is no evidence of criminal or malicious intent in the act. There is no attempt to steal information. There is no reason for him (Parson) to say that there is any kind of illegal act on the part of the Post-Dispatch.
Byron Clemens, spokesperson for AFT St. Louis, Local 420, said the teachers’ union was not aware of any misuse of educator information.
“But we are concerned about the attempt to deflect responsibility and politicize what is very clearly an attack on state security,” Clemens said in a statement.
Meanwhile, Parson said the state will tackle security concerns raised by the newspaper’s reports.
“We are working to strengthen our security to prevent this incident from happening again,” Parson said. âThe state is doing its part and we are tackling areas where we need to do better than we have done before. “