Despite mounting public backlash, Missouri Gov. Michael Parson isn’t backing down from threatening to prosecute a journalist for accessing personal information of Missouri teachers to expose a security lapse in the state’s website.
St. Louis Post-Dispatch journalist Josh Renaud reported the website for the state’s Department of Elementary and Secondary Education (DESE) was exposing over 100,000 teachers’ Social Security numbers. These SSNs were discovered by viewing the HTML source code of the site’s web pages, allegedly allowing anyone with an internet connection to find the sensitive information by right-clicking the page and hitting “view page source.”
The Post-Dispatch reported the vulnerability to state authorities to patch the website and delayed publishing a story about the problem to give the state enough time to fix the problem.
The DESE has since confirmed that the “educator certification search tool was disabled and that the vulnerability is now fixed."
The governor’s office is receiving plenty of backlash for its threats to prosecute the reporter.
Rachel Tobac, a hacker and CEO of SocialProof Security, tweeted, "Hitting F12 in a browser is not hacking. If your code leaks personal data via public development tools that any person can see by simply pressing F12 on a keyboard then you have a huge data leak issue, not a hacking situation, on your hands. Fix your website."
Yet, the governor’s office continues to contend Renaud is open to prosecution for his actions. An email to The Record from Kelli Jones, communications director for the governor’s office, said an investigation into Renaud’s actions is ongoing, but described his action as a “hack” that was more than just “a right click,” and that Renaud broke Missouri law.
“The facts are that an individual accessed source code and then went a step further to convert and decode that data in order to obtain Missouri teachers’ personal information,” Jones wrote in an email.
“This information was not freely available, and there was no authorization given to tamper with computer data. By the actor’s own admission, the data had to be taken through eight separate steps in order to generate an SSN, which was shared with other entities. Under Missouri law, a person commits the offense of tampering with computer data if he or she knowingly and without authorization accesses, takes and examines personal information. “
The St Louis Post-Dispatch said Renaud should be applauded, not persecuted, for exposing a vulnerability in the website’s security.
“We’re pleased to see the support and interest generated from this story. It highlights the valuable work of our journalists,” said Ian Caso, president and publisher of the St. Louis Post-Dispatch. “I’m grateful our reporter, Josh Renaud, was able to uncover the problem and share it with the appropriate state officials. I think he should be commended for his work and sense of duty. We are surprised and disappointed at the governor’s response and deflection.”
In acknowledging the vulnerability had been verified and fixed, the DESE said Renaud used a “multi-step” process to get the records of at least three educators, including their Social Security numbers.
The DESE termed it an “isolated incident,” and that officials were still “working diligently” to determine the severity of the issue. The DESE also referred to Renaud as a hacker.
“A hacker is someone who gains unauthorized access to information or content,” Parson said during a recent press conference. “This individual did not have permission to do what they did."
He said Renaud was simply attempting to "embarrass the state" and "sell headlines."
"We will not let this crime go unpunished," Parson said.