On Wednesday, the St. Louis Post-Dispatch ran a story about how its staff discovered and reported a security vulnerability in a Missouri state education website that exposed the Social Security numbers of 100,000 elementary and secondary teachers. In a press conference this morning, Missouri Gov. Mike Parson (R) said fixing the flaw could cost the state $50 million, and vowed his administration would seek to prosecute and investigate the “hackers” and anyone who aided the publication in its “attempt to embarrass the state and sell headlines for their news outlet.”
The Post-Dispatch says it discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials, and that more than 100,000 SSNs were available. The Missouri state Department of Elementary and Secondary Education (DESE) reportedly removed the affected pages from its website Tuesday after being notified of the problem by the publication (before the story on the flaw was published).
The newspaper said it found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved. In other words, the information was available to anyone with a web browser who happened to also examine the site’s public code using Developer Tools or simply right-clicking on the page and viewing the source code.
The Post-Dispatch reported that it wasn’t immediately clear how long the Social Security numbers and other sensitive information had been vulnerable on the DESE website, nor was it known if anyone had exploited the flaw.
But in a press conference Thursday morning, Gov. Parson said he would seek to prosecute and investigate the reporter and the region’s largest newspaper for “unlawfully” accessing teacher data.
“This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians,” Parson said. “It is unlawful to access encoded data and systems in order to examine other peoples’ personal information. We are coordinating state resources to respond and utilize all legal methods available. My administration has notified the Cole County prosecutor of this matter, the Missouri State Highway Patrol’s Digital Forensics Unit will also be conducting an investigation of all of those involved. This incident alone may cost Missouri taxpayers as much as $50 million.”
While threatening to prosecute the reporters to the fullest extent of the law, Parson sought to downplay the severity of the security weakness, saying the reporter only unmasked three Social Security numbers, and that “there was no option to decode Social Security numbers for all educators in the system all at once.”
“The state is committed to bringing to justice anyone who hacked our systems or anyone who aided them to do so,” Parson continued. “A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert or decode, so this was clearly a hack.”
Parson said the person who reported the weakness was “acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet.”
“We will not let this crime against Missouri teachers go unpunished, and refuse to let them be a pawn in the news outlet’s political vendetta,” Parson said. “Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them.”
In a statement shared with KrebsOnSecurity, an attorney for the St. Louis Post-Dispatch said the reporter did the responsible thing by reporting his findings to the DESE so that the state could act to prevent disclosure and misuse.
“A hacker is someone who subverts computer security with malicious or criminal intent,” the attorney Joe Martineau said. “Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”
Aaron Mackey is a senior staff attorney at the Electronic Frontier Foundation (EFF), a non-profit digital rights group based in San Francisco. Mackey called the governor’s response “vindictive, retaliatory, and incredibly short-sighted.”
Mackey noted that Post-Dispatch did everything right, even holding its story until the state had fixed the vulnerability. He said the governor also is attacking the media — which serves a crucial role in helping give voice (and often anonymity) to security researchers who might otherwise remain silent under the threat of potential criminal prosecution for reporting their findings directly to the vulnerable organization.
“It’s dangerous and wrong to go after someone who behaved ethically and responsibly in the disclosure sense, but also in the journalistic sense,” he said. “The public had a right to know about their government’s own negligence in building secure systems and addressing well-known vulnerabilities.”
Mackey said Gov. Parson’s response to this incident also is unfortunate because it will almost certainly give pause to anyone who might otherwise find and report security vulnerabilities in state websites that unnecessarily expose sensitive information or access. Which also means such weaknesses are more likely to be eventually found and exploited by actual criminals.
“To characterize this as a hack is just wrong on the technical side, when it was the state agency’s own system pulling that SSN data and making it publicly available on their site,” Mackey said. “And then to react in this way where you don’t say ‘thank you’ but actually turn on the reporter and researchers and go after them…it’s just weird.”
Well….as the old saying goes…..no good deed goes unpunished…..SMH.
I’ll do the job for $40 million – saving tax payers 20% that’s what I’m all about!
I’ll under bid you . . . I’ll take $30 million . . .
On a serious note . . .who in the Halibet . . . is saying it will cost $50 million to fix the issue!?. I’ve worked on corporate projects . . . unless we are talking embedded devices . . .for that type of $$ you can burn the system down and build one from scratch with an army of developers and project managers. Maybe I’m wrong but . . . .$50 Million!?! Really!?!
Thanks for updating us with latest info.
I come checking back here looking to see if there’s a new (awesome) Krebs article,
I see this again… and I get mad all over! You see how (football legend) John got that way.
It’s all so maddening. This country needs a firmware update or it’s bricked anyway.
The governor’s circle has created its own reality and is now firmly occupying it, refusing to acknowledge the lack of clothing on the Emperor. If you want to see an example, watch the latest You Tube video from “Uniting Missouri”. Hopefully the courts are still based in reality, as I foresee them attempting a lawsuit.
lol, mate, don’t fall for their tricks, they want you to get mad with hope you will make a stupid mistake from your anger.
Escribo desde España.
Desde hace tres años y medio estoy sufriendo en mi teléfono móvil y mi portátil el acoso informático por parte de dos personas publicistas de “ORANGE” y otras compañias, y que hackean en Logroño (España) y supongo que en más Autonomías a clientes de compañias telefónicas.
Se trata de una red de ciberdelincuencia organizada.
Quiero alertar desde aquí de la existencia de esta banda criminal.
I write from Spain.
For three and a half years I have suffered computer harassment on my mobile phone and my laptop by two publicists of “ORANGE” and other companies, and that they hack in Logroño (Spain) and I suppose that in more Autonomous companies customers telephone.
It is an organized cybercrime network.
I want to alert from here to the existence of this criminal gang.
Knowledge is power. Too bad the Missouri Gov Mike Parson is an ignorant verdictive OLD man lacking this knowledge.
Looks like he stole a page from the former President, and is suing anything to deflect from a mistake that could have been handled way better.
Have you ever been asked to check under your kid’s bed to see if any monsters were there? Governor Whatshisname is that kid – stuck in his childish interpretation of a technology that might as well be magic.
in my humble opinion, I think government officials should be able to understand how technology today works as well as knowing that it is still flawed and needs correction from time to time, I mean, if the news article’s information is correct and everyone is just assuming that they are exposing a weakness to point out a group of people, that gets us nowhere. there has to be someone out there who is willing to check if what the person is saying is true or not and if you don’t know if they are or aren’t you have no right to accuse them for stating what seems to be an issue, for all you know they could just be pointing out a flaw in the system, not exposing a group of people for their personal gain. We as a society need to learn from this and move past it instead on dwelling on what has already happened. so with what remaining dignity we have as citizens get up on your feet and move forward. thank you for your time.
There *was* such an agency. “The Office of Technology Assessment (OTA) was an office of the United States Congress that operated from 1974 to 1995. OTA’s purpose was to provide congressional members and committees with objective and authoritative analysis of the complex scientific and technical issues of the late 20th century, i.e. technology assessment.” Guess which party defunded it?
A quick look at the Governor’s main page shows they monitor site activity with New Relic tools. I assume that information can be retrieved through Missouri public information laws.
I wonder what information they retain as they peek into their site visitors’ browsing?
Is the Governor a hacker? Oh, horrors….
Can’t seem to view newer articles than this 10-day-old one on the site’s front page.
At the end of the say the buck stops with the Gov for having poor security practices in the MO government. He is in charge. This is his attempt to shift the blame. I hope that the citizens of MO realize that this is a cynical ploy by the Gov to cover up his administrations gross incompetence.
A related update from the Missouri Independent: https://missouriindependent.com/2021/10/21/cybersecurity-expert-demands-apology-from-missouri-governor-over-hacking-claims/
Thanks for posting that… the youtube video it links to is pretty funny: https://www.youtube.com/watch?v=9IBPeRa7U8E
They say they “decoded the HTML”. Which is obviously wrong. I still can’t quite understand where the SS#s were though. I doubt they were in the HTML, but maybe in a JSON dataset… but none of that would need to be “decoded”.
…but maybe there is a piece that is needed to decode the numbers? I still can’t figure that part out as no one has explained exactly where that PII info was in the source code… since this sounds like a well-known defect in older software can anyone here explain the exact details?
I did find an article about a guv’ment website exposing PII in Base64 encoding regarding COVID tests… so it is possible that the PII was Base64 encoded: “However, security researcher Sourajeet Majumder found that the link containing the patient’s unique test identification number was scrambled in base64 encoding”. So mayyybe they are technically correct when they say “decoded”? Obviously he’s still a complete moron, and should be recalled immediately…
now that I read more I think it was Base64 encoding. That’s a pretty strange practice really… but I found another article about a guv’ment COVID-19 site that used a user’s UID in the link base64 encoded. Which allowed anyone to change that bit and get other people’s records. So technically that vid may not be wrong. (but they couldn’t explain why they’re not wrong, because it still makes the guv’ment look very stupid…)
Governor Parson obviously wants to deter people performing the vital duty of reporting vulnerabilities to those who NEED to know. He is the criminal hacker’s best friend.
How can people govern properly in such ignorance of the modern world?
I live in Missouri. I voted for Parsons. As an IT employee I know he’s got this wrong. The person he should be going after is the employee(s) of the state who programmed the website horribly. The reporter as a hacker is ridiculous. Should the governor be recalled? That’s a bit of a far stretch. He needs to apologize for his ignorance and tell us Missourians he’s got the person who programmed this fired and call it a day.
Have there been any further actions by the governor or his administration to move forward on prosecution of the reporter and others that report how flawed this web application was?
I am curious because any case should be laughed out of court by the presiding judge before it ever goes further. I would love to know has happened since this was initially reported.
I hope other states take the hint and check their teacher credential checking systems/databases for similiar problems before they get discovered by independent 3rd parties.
There’s an old, but quite extensive list of them here:
The Missouri CredentialsListChecker (which was taken offline due to the publicity) is among them as well.
lol what a moron. Black Hats do this stuff and don’t tell anyone, unless they’re going to ask for a ransom.
Missouri offers credit monitoring after data flaw that Parson called ‘hacking
November 10, 2021 update on the incident – https://dese.mo.gov/data-incident