October 14, 2021

On Wednesday, the St. Louis Post-Dispatch ran a story about how its staff discovered and reported a security vulnerability in a Missouri state education website that exposed the Social Security numbers of 100,000 elementary and secondary teachers. In a press conference this morning, Missouri Gov. Mike Parson (R) said fixing the flaw could cost the state $50 million, and vowed his administration would seek to prosecute and investigate the “hackers” and anyone who aided the publication in its “attempt to embarrass the state and sell headlines for their news outlet.”

Missouri Gov. Mike Parson (R), vowing to prosecute the St. Louis Post-Dispatch for reporting a security vulnerability that exposed teacher SSNs.

The Post-Dispatch says it discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials, and that more than 100,000 SSNs were available. The Missouri state Department of Elementary and Secondary Education (DESE) reportedly removed the affected pages from its website Tuesday after being notified of the problem by the publication (before the story on the flaw was published).

The newspaper said it found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved. In other words, the information was available to anyone with a web browser who happened to also examine the site’s public code using Developer Tools or simply right-clicking on the page and viewing the source code.

The Post-Dispatch reported that it wasn’t immediately clear how long the Social Security numbers and other sensitive information had been vulnerable on the DESE website, nor was it known if anyone had exploited the flaw.

But in a press conference Thursday morning, Gov. Parson said he would seek to prosecute and investigate the reporter and the region’s largest newspaper for “unlawfully” accessing teacher data.

“This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians,” Parson said. “It is unlawful to access encoded data and systems in order to examine other peoples’ personal information. We are coordinating state resources to respond and utilize all legal methods available. My administration has notified the Cole County prosecutor of this matter, the Missouri State Highway Patrol’s Digital Forensics Unit will also be conducting an investigation of all of those involved. This incident alone may cost Missouri taxpayers as much as $50 million.”

While threatening to prosecute the reporters to the fullest extent of the law, Parson sought to downplay the severity of the security weakness, saying the reporter only unmasked three Social Security numbers, and that “there was no option to decode Social Security numbers for all educators in the system all at once.”

“The state is committed to bringing to justice anyone who hacked our systems or anyone who aided them to do so,” Parson continued. “A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert or decode, so this was clearly a hack.”

Parson said the person who reported the weakness was “acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet.”

“We will not let this crime against Missouri teachers go unpunished, and refuse to let them be a pawn in the news outlet’s political vendetta,” Parson said. “Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them.”

In a statement shared with KrebsOnSecurity, an attorney for the St. Louis Post-Dispatch said the reporter did the responsible thing by reporting his findings to the DESE so that the state could act to prevent disclosure and misuse.

“A hacker is someone who subverts computer security with malicious or criminal intent,” the attorney Joe Martineau said. “Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”

Aaron Mackey is a senior staff attorney at the Electronic Frontier Foundation (EFF), a non-profit digital rights group based in San Francisco. Mackey called the governor’s response “vindictive, retaliatory, and incredibly short-sighted.”

Mackey noted that Post-Dispatch did everything right, even holding its story until the state had fixed the vulnerability. He said the governor also is attacking the media — which serves a crucial role in helping give voice (and often anonymity) to security researchers who might otherwise remain silent under the threat of potential criminal prosecution for reporting their findings directly to the vulnerable organization.

“It’s dangerous and wrong to go after someone who behaved ethically and responsibly in the disclosure sense, but also in the journalistic sense,” he said. “The public had a right to know about their government’s own negligence in building secure systems and addressing well-known vulnerabilities.”

Mackey said Gov. Parson’s response to this incident also is unfortunate because it will almost certainly give pause to anyone who might otherwise find and report security vulnerabilities in state websites that unnecessarily expose sensitive information or access. Which also means such weaknesses are more likely to be eventually found and exploited by actual criminals.

“To characterize this as a hack is just wrong on the technical side, when it was the state agency’s own system pulling that SSN data and making it publicly available on their site,” Mackey said. “And then to react in this way where you don’t say ‘thank you’ but actually turn on the reporter and researchers and go after them…it’s just weird.”


132 thoughts on “Missouri Governor Vows to Prosecute St. Louis Post-Dispatch for Reporting Security Vulnerability

  1. Notme

    So he thinks it’s 50 million to fix it. No wonder they can’t govern much less manage. Another job for cyber ninjas.

    Reply
    1. Mike

      Shows how low skilled those folks making the big government dollars are. That is like a few hours to code this so you can’t scrap it.

      Reply
      1. rambo is not expendable

        yup, yup.. opm breach is a case study in gment clusterfookery.
        do a search for opm breach .. it will make you realize they have no clue what they are doing or are being paid to be stupid.

        Reply
      2. Jim

        There’s no “big money” in Missouri government, except perhaps in the pockets and campaign coffers of Republican politicians. This sounds like Article 58 of the Russian Penal Code under Stalin, “arrest those suspected of counter-revolutionary activities”.
        or the Gestapo, “spreading of defeatist propaganda.”

        Reply
        1. martin

          I think 50 million sounds about right. $1000 to fix the code and $49,999,00 to supervise the programmer.

          Reply
          1. Lurchman

            Martin,

            You left a big chunk of change out of your calculations…

            I guess that is for the “slush fund” or to feather Mike Parson’s nest…

            Reply
  2. Mahhn

    Simplest analogy;
    Someone “tells him” his fly is down, he screams ra_ _.

    Reply
  3. John Piercy

    You are 100% correct. I don’t know about you but anyone that has spent the first 15 minutes in an ethical hacking training course has heard, ‘You must get written approval from the RIGHT person (think C-level or owners) to ever pen-test or attempt to hack a resource you don’t own yourself’. Your brother may have had good intentions but an understanding of applicable laws is critical to his future success and potentially unwanted residency in a prison. On the bright side, he probably scored a good job for his fuzzing skills – just hope he continues to use his powers for good – within the law.

    Reply
    1. Scott

      Waitwaitwait,

      So you mean to tell me, that if I serve PLAINTEXT data to a client that contains the sensitive data of hundreds\thousands\millions of my other customers, that the user is responsible for looking at it?

      There’s a very fine line between hacking a just looking.

      If all I have to do to see the social security numbers of my fellow bank members is look at the ceiling in the branch lobby, how is it my fault I looked up?

      All this does is scream coverup for incompetence

      Reply
      1. Jeremy

        That was my first thought as well. The lawsuit should quickly be turned around on them for distributing PII without permission. Sounds like an easier win.

        Reply
      2. JamminJ

        John Piercy’s comment was a reply from page 1, a response to a comment from Nemo, who was talking about a very different case. Nemo’s BROTHER was charged with hacking because he performed an SQL injection attack. Not plaintext in HTML source code.

        Out of context from the reply thread, I guess it seemed like John was defending the governor’s accusations. Far from it.

        Reply
    2. John Smith

      So you are admitting you didn’t uderstand what you were taught. You are an idiot…

      Reply
  4. Ken

    Do the cyber security issues matter when the Governor’s response is crafted from the pages of an authoritarian third world dictator?

    Part of an ongoing rift between rural-sourced “Governor Hee-Haw” (as he is sometimes called) and a big city newspaper. Each swipe the Gov takes goes further off the rails. Bigger story is the anti-democratic Trumpian attack on free standing media from a state leader. I’m sure real hackers applaud the chilling effect this has on journalists. Now they can go undetected longer.

    Reply
    1. anom

      Even hackers for profit wouldn’t necessarily support those goons, bad for business…

      Reply
  5. VoiceOfReason

    They were incompetent in leaving SSNs in the hypertext in the first place. They were incompetent again in thinking that looking at the source code was somehow ‘hacking’. This is a bad look for the Missouri Governor. The first revealed that they are incompetent. The second screams it loud enough for all to hear.

    I hope this isnt representative of how ALL state Govt IT departments function (or dont function, in this case).

    Reply
  6. Not Dense

    Parson was heard saying, just before he decided to shoot the messenger, “What?! You mean it’s not the Tweeter Machine?!”

    Reply
  7. VoiceOfReason

    Actual quote from the press conference: “This is why its UNNATURAL to have a keyboard with an F12 key. I dont know how that sort of thing plays out on the left coasts, but here in America’s heartland, we know this is a definite HIPPA violation! I bet they were hacking from that super-server in Hillary’s bathroom! Has anyone checked for bamboo fibers yet? Someone call Mike Lindell, Stat!!”

    Ladies and Gentlemen, I give you the Head Nincompoop of the (formerly) Great State of Missouri…

    Reply
  8. P.D.

    The IQ of a Banana, the morality of the 12th century, and a sub-leader of the Texas Taliban.

    Unreal. Did I just imagine the last 50 years?

    Reply
  9. JackSparrow

    I think the red line is more difficult to define. In the present case, everything happened within the United States, and I also think that the fault lies with the people responsible for the website.

    When problems arise, Internet traffic is usually cross-border. Unless serious criminal offenses are directly involved, there will be little help from authorities because internet law is essentially national law. For example, if you track a systematic attack on email accounts (gateway for ransomware attacks), 10 or more countries are quickly affected. You don’t get that organized so quickly. To a certain extent, criminals can move around the Internet in a law-free area and prepare the actual crimes in peace. That should be roughly the background of the upcoming talks with 30 other countries about cybersecurity.

    Now imagine the following case (it actually still exists!). Years ago, a company got a fast Internet access and no longer bothered about the router and it is still “secured” with the default administrator password. Not least because of shodan.io or similar services, such a device quickly becomes a proxy for all possible Internet criminals. This has to do with the fact that the hit rate with some manufacturers and ISPs is particularly high. Since it is also easy to spy on the LAN, such an insecure router is also a good basis for a direct ransomware attack. Such a router is a danger to itself and others.

    If the attacked trace back the attacks, then almost all of them end up abroad and of course they also see that the router is not secured. If you are familiar with this matter, you will know that there are some routers out there from a certain manufacturer where instructions such as “Change your password!” or something similar has already left behind. Obviously, someone else has been there.

    When it comes to routers that are connected to critical infrastructure, such as a hospital, city administration, etc., there is a more urgent need for action. Those who are familiar only need a short cURL command to name the problem, but that is by far not enough to convince those responsible for the routers of their security problem.

    There is therefore the absurd situation that, if help comes at all, it comes from abroad, and whoever does this to himself has to penetrate relatively deeply into the router in order to be convincing at all and to reach a competent contact person as quickly as possible .

    Is that already hacking, or can one define a supra-legal exception here because higher juristic principles are relevant? The core problem, however, is that the range of the Internet does not correspond to the range of existing laws. What does that mean, if all of this is not really clear within a country?

    Reply
  10. Ed

    prosecute and investigate the “hackers” and anyone who aided the publication in its “attempt to embarrass the state

    Attempting to prosecute someone for viewing public data and reporting the news is an embarrassment of the state, you tool.

    Reply
  11. Sebastian

    ok this means any browser company is criminal.
    they provide these high-end hacking tools.

    Reply
  12. Hex-a-decimal

    I just loved reading the article and all of the comments. I am still laughing. Excellent article and comments.

    Reply
  13. Kevin Boyle

    “‘A hacker is someone who subverts computer security with malicious or criminal intent,” the attorney Joe Martineau said.” Joe is wrong. A hacker is someone who tries to figure out how things work, usually related to computer technology–but not always. Sometimes people hack for bad (and that has become the mainstream press view of it), but there is hacking for good. Security researches do it all the time. So does my robotics team. It’s disappointing to see those advocating for the reporter adopting the narrow view of the term. It serves only to abet the uninformed (like Missouri’s governor and his ticket of ill-advised advisors).

    Reply
  14. King Llama

    He’ll prosecute the web consortium for facilitating the “decoding” of HTML next.
    Criminals! Seize them!

    Reply
  15. Dave

    Has there been any update to this? All of the stories are from three days ago, is he still maintaining this position?

    Reply
    1. Very stableboy

      Strong Trumpite. There is no backing down on crazy, you can go an order of magnitude bigger.

      You set up a ridiculous state law allowing anyone to sue anyone on suspicion of pushing F12,
      for ten thousand dollars. By the time Clarence Thomas wakes up it’s too late. “King me.”

      Reply
  16. Wilson

    “And then to react in this way where you don’t say ‘thank you’ but actually turn on the reporter and researchers and go after them…it’s just weird.”

    This behavior is all too common… Many careers have been lost, hats off to those doing what’s right.

    Reply
  17. MF

    $50 million dollars to fix? Where did they grab that number from? And if it is publicly visible….. nevermind, politicians covering the fact that things should have been detected if anyone had even the simplest security checks and penetration tests. And anyone one to bet if there’s one application the state has developed/purchased/uses with this issue there are others?

    Reply
  18. John

    I find it rather humorous that Governor Parson is so irate that someone actually came forward with information on a discovered data leak – a data leak that has most likely already been exploited by numerous less scrupulous entities.

    If you actually believes that an unauthenticated website with a .gov TLD hasn’t already been scanned and scraped for any interesting/usable data, by more actual “hacker” organizations than anyone in a position of authority – like you are – ever cares to even admit to themselves, much less publicly; you are sorely deluded Governor Parson.

    Maybe you should spend some of Missouri Tax-payers’ money on actually securing the State’s computer systems, rather than pursuing legal action against someone that didn’t perpetrated a full-blown identity-theft hack on the DESE site or the news outlet that ethically reported the problem actually exists.

    Or should both parties have just remained silent and left that gaping security hole open so the number of ID-Theft Fraud cases in the State of Missouri could continue to rise.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *