Missouri's governor vows to prosecute a reporter who told the state about a data security risk
Updated at 3:05 p.m., Oct. 14 with comments from the Missouri Press Association
Missouri Gov. Mike Parson on Thursday launched a criminal investigation of a St. Louis Post-Dispatch reporter who exposed flaws on a state website that left more than 100,000 Social Security numbers of teachers, administrators and counselors vulnerable.
The investigation comes one day after the paper published its story and two days after the paper alerted the state of the vulnerabilities and held off running it so the state could protect the website.
The investigation begins today, and Parson said the incident could cost taxpayers as much as $50 million but did not detail those costs or take questions at a news conference Thursday.
During the media briefing, Parson said that he is sending information to the Cole County prosecutor along with the Missouri State Highway Patrol’s Digital Forensic Unit and that the reporter acted against the state agency in “an attempt to embarrass the state and sell headlines.”
“The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so,” Parson said.
A statement from the Post-Dispatch said the reporter did the responsible thing by reporting the findings to the education department so it could then prevent misuse of the vulnerable information.
“A hacker is someone who subverts computer security with malicious or criminal intent,” said Joe Martineau, an attorney for the paper. “Here, there was no breach of any firewall or security and certainly no malicious intent.”
Parson said because the reporter who found this vulnerability did not have the authorization to access or decode the data, the actions are defined as a hack. He said that in addition to criminal charges, a civil suit could be possible.
According to the Post-Dispatch report, it discovered the vulnerability in a web application that allowed the searching of teacher certification and credentials. Social Security numbers were found in the HTML source code in the involved pages.
The paper said it delayed publishing to give the education department “time to protect teachers’ private information.”
The department has since removed the affected pages from its website as a result of the paper’s investigation.
Parson called the actions “a crime against teachers” and said the state would “hold accountable” not only the reporter who accessed the information but those who aided them, along with the paper as well.
Concerning the vulnerability of the website, Parson said these records were only available on an individual basis and were unable to be decoded all at once.
He said the state is working on strengthening the security of its web pages.
“We are addressing areas in which we need to do better than we have done before,” Parson said.
Jean Maneke, an attorney for the Missouri Press Association, says the Post-Dispatch did nothing wrong in finding the vulnerability and there was no hacking or theft involved.
“For the governor to infer that this is something that would raise the specter of criminal prosecution shows a misunderstanding of what we’re talking about here,” Maneke said. “Plus it also shows disregard for the fact that this is a public benefit that the media provided.”
Maneke also said she can’t imagine an investigation would result in prosecution.
Correction: Parson said the incident could cost taxpayers as much as $50 million. An earlier version of the story incorrectly described what the cost would cover.
Follow Sarah on Twitter: @SarahKKellogg