Missouri Governor slams newspaper for uncovering data security flaw

(AP) — Republican Gov. Mike Parson on Thursday condemned one of Missouri’s largest newspapers for exposing a flaw in a state database that allowed public access to thousands of teachers’ Social Security numbers, even though the paper held off from reporting about the flaw until after the state could fix it.

Parson told reporters outside his Capitol office that the Missouri State Highway Patrol’s digital forensic unit will be conducting an investigation “of all of those involved” and that his administration had spoken to the prosecutor in Cole County, which includes the state capital, Jefferson City. He didn’t elaborate as to what he meant by “involved” or whether investigators would be looking into whether the St. Louis Post-Dispatch broke the law during the course of its reporting on the data vulnerability.

The Post-Dispatch broke the news about the security flaw on Wednesday. The newspaper said it discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials.

The Department of Elementary and Secondary Education removed the pages from its website on Tuesday after being told about the issue by the Post-Dispatch, which said it gave the state time to fix the problem before it published its story.

The Post-Dispatch estimated that more than 100,000 Social Security numbers were vulnerable, based on pay records and other data. It found that the school workers’ Social Security numbers were in the HTML source code of the pages involved.

“The state is unaware of any misuse of individual information or even whether information was accessed inappropriately outside of this isolated incident,” the DESE said in a news release.

Though the Post-Dispatch alerted the agency to the problem and held off on the story, the agency’s news release called the person who discovered the vulnerability a “hacker” — an apparent reference to the reporter — who “took the records of at least three educators.” The agency didn’t elaborate as to what it meant by “took the records,” and neither it nor the newspaper’s lawyer immediately replied to requests for comment about that accusation.

Parson also suggested that the reporter somehow broke the law.

“This individual is not a victim,” Parson told reporters. “They were acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet. We will not let this crime against Missouri teachers go unpunished.”

Joseph Martineau, an attorney for the Post-Dispatch, said in a statement that the reporter “did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse. A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent.”

“For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded,” Martineau said.

Jean Maneke, an attorney for the Missouri Press Association, said she doubted any judge “would allow this to proceed very far.”

“Clearly the Post-Dispatch warned the state of this issue,” Maneke said. “There’s no evidence of any criminal or malicious intent in the act. There’s no attempt to steal information. There’s no basis for him (Parson) to say there’s any kind of illegal act from the Post-Dispatch.”

Byron Clemens, a spokesman for AFT St. Louis, Local 420, said the teachers union isn’t aware of any educators’ information being misused.

“But we are concerned over the attempt to deflect responsibility and politicize what is very obviously a security breach by the state,” Clemens said in a statement.

Democratic state Rep. Crystal Quade, the minority leader of the state House, said Parson should thank the newspaper for uncovering the issue.

“In the finest tradition of public interest journalism, the Post-Dispatch discovered a problem — one publicly discernable to anyone who bothered to look; it verified the problem with experts; and it brought the problem to the attention of state officials for remedial action,” Quade said in a statement. “The governor should direct his anger towards the failure of state government to keep its technology secure and up to date and to work to fix the problem, not threaten journalists with prosecution for uncovering those failures.”

Meanwhile, Parson said the state will address security issues raised by the newspaper’s reporting.

“We are working to strengthen our security to prevent this incident from happening again,” Parson said. “The state is owning its part, and we are addressing areas in which we need to do better than we have done before.”