On Wednesday, the St. Louis Post-Dispatch ran a story about how its staff discovered and reported a security vulnerability in a Missouri state education website that exposed the Social Security numbers of 100,000 elementary and secondary teachers. In a press conference this morning, Missouri Gov. Mike Parson (R) said fixing the flaw could cost the state $50 million, and vowed his administration would seek to prosecute and investigate the “hackers” and anyone who aided the publication in its “attempt to embarrass the state and sell headlines for their news outlet.”
The Post-Dispatch says it discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials, and that more than 100,000 SSNs were available. The Missouri state Department of Elementary and Secondary Education (DESE) reportedly removed the affected pages from its website Tuesday after being notified of the problem by the publication (before the story on the flaw was published).
The newspaper said it found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved. In other words, the information was available to anyone with a web browser who happened to also examine the site’s public code using Developer Tools or simply right-clicking on the page and viewing the source code.
The Post-Dispatch reported that it wasn’t immediately clear how long the Social Security numbers and other sensitive information had been vulnerable on the DESE website, nor was it known if anyone had exploited the flaw.
But in a press conference Thursday morning, Gov. Parson said he would seek to prosecute and investigate the reporter and the region’s largest newspaper for “unlawfully” accessing teacher data.
“This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians,” Parson said. “It is unlawful to access encoded data and systems in order to examine other peoples’ personal information. We are coordinating state resources to respond and utilize all legal methods available. My administration has notified the Cole County prosecutor of this matter, the Missouri State Highway Patrol’s Digital Forensics Unit will also be conducting an investigation of all of those involved. This incident alone may cost Missouri taxpayers as much as $50 million.”
While threatening to prosecute the reporters to the fullest extent of the law, Parson sought to downplay the severity of the security weakness, saying the reporter only unmasked three Social Security numbers, and that “there was no option to decode Social Security numbers for all educators in the system all at once.”
“The state is committed to bringing to justice anyone who hacked our systems or anyone who aided them to do so,” Parson continued. “A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert or decode, so this was clearly a hack.”
Parson said the person who reported the weakness was “acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet.”
“We will not let this crime against Missouri teachers go unpunished, and refuse to let them be a pawn in the news outlet’s political vendetta,” Parson said. “Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them.”
In a statement shared with KrebsOnSecurity, an attorney for the St. Louis Post-Dispatch said the reporter did the responsible thing by reporting his findings to the DESE so that the state could act to prevent disclosure and misuse.
“A hacker is someone who subverts computer security with malicious or criminal intent,” the attorney Joe Martineau said. “Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”
Aaron Mackey is a senior staff attorney at the Electronic Frontier Foundation (EFF), a non-profit digital rights group based in San Francisco. Mackey called the governor’s response “vindictive, retaliatory, and incredibly short-sighted.”
Mackey noted that Post-Dispatch did everything right, even holding its story until the state had fixed the vulnerability. He said the governor also is attacking the media — which serves a crucial role in helping give voice (and often anonymity) to security researchers who might otherwise remain silent under the threat of potential criminal prosecution for reporting their findings directly to the vulnerable organization.
“It’s dangerous and wrong to go after someone who behaved ethically and responsibly in the disclosure sense, but also in the journalistic sense,” he said. “The public had a right to know about their government’s own negligence in building secure systems and addressing well-known vulnerabilities.”
Mackey said Gov. Parson’s response to this incident also is unfortunate because it will almost certainly give pause to anyone who might otherwise find and report security vulnerabilities in state websites that unnecessarily expose sensitive information or access. Which also means such weaknesses are more likely to be eventually found and exploited by actual criminals.
“To characterize this as a hack is just wrong on the technical side, when it was the state agency’s own system pulling that SSN data and making it publicly available on their site,” Mackey said. “And then to react in this way where you don’t say ‘thank you’ but actually turn on the reporter and researchers and go after them…it’s just weird.”
Welcome to Iowa.
Great article and another example of shameful politics by the Missouri governor. I hope he is libel for public disinformation and defamation of this responsible reporter’s character. The governor’s frivolous and wholly incorrect lawsuit is what may end up costing his constituents the most money. Incompetence among our nation’s politicians is at a staggering high. Hold them as accountable – personally.
Sometimes we are still stupefied by US news. This is a R gov, so perhaps we need to adjust our reality-meter accordingly. The follow-up will of course be buried on page 7 – but retard-country does have a tradition of imposing misery on the whistleblower, so we root for the journalist. All families have the awkward sibling .. so I guess we still love you and wish you well. It is tragicomic funny still when all the entitled indignation of the ignorant wells out. There there .. breathe a bit and let yourself grow and grow up. Pay the $50 mill fine that you probably cut out and more from the instances responsible for the code. Don’t give in to the urge to find “the one responsible”. Don’t scream or cry. Be better.
I see this R Governor is about as smart as a rabbit, lets feed him to to Foxocrats, I mean Democrats.
That anyone could be elected as a Governor and yet be unaware of the press freedoms beggars the mind…
Let me take a wild guess…….. Is this Governor a Republican by any chance? You can’t fix stupid. #DumbGOP
Sigh. Mississippi. That is all you need to have said. Next assume something similar is happening in Alabama and Arkansas, just because.
It’s Missouri, not Mississippi, not Iowa. Missouri.
This is a similar situation to what happened when an applicant for unemployment insurance in Arkansas discovered a flaw in the hastily stood up website during the pandemic. To avoid embarrassment, the state started to “prosecute” the individual while they tried to recover from the PR disaster associated with it. The state eventually dropped the charges and moved on. It’s a shame the State of MO is pulling the same lame stunt.
Folks, you should keep the characterization of folks based on political affiliation to a minimum. Stupidity is not restricted in policital affiliation.
Probably not ‘restricted’, but we’re starting to see a pattern here with modern-day ‘Rs’.
Rrrrright. Just a coincidence this fascist is a Republican.
Stupidity is costly, willful ignorance even more so. Both parties, especially older legislators, are woefully misinformed as to how the basic concepts of IT work; however, the GOP-controlled states seem to be much more willing to sacrifice the health and security of their people in order to make a political point or stay in power.
New York nursing home Covid scandal comes to mind.
Maybe the governor should have the state’s IT staff criminally indicted for theft of state funds. $50 million to fix this? Seriously? Can I have that budget? I’ll have it fixed next week and move to Bermuda. On what planet is reading the results of “View Page Source” a criminal act that requires “permission”? Is an understanding of HTML somehow illicit “decoding”?
The governor should be embarrassed for holding this press conference and immediately fire the IT clown who sold him on this being “hacking”.
Probably just a number derived from the number of social security numbers times the cost for one year of credit monitoring.
Since it was state employees/contractors who published the PII, the governor’s desire to prosecute the malefactors would boomerang back to state agencies. Oops. The offending pages will also live on in various web crawling repos, for anyone who wants to go looking… Another oops. On a brighter note, all the SSNs were already for sale on the dark web from other leaks anyway. No harm. No foul.
Yeah, someone could have easily stumbled on them by now. I mean, the Chinese love government sites because of dumb stuff like this. If the site leaked PII, then who knows what other vulns existed that could have lead to far worse things, like RCE or SQLi. They should create a responsible disclosure policy like all the other government sites and work with companies like Synack or HackerOne to harden their web apps.
This happened to my brother the LA county Voters Registrar office charged him with 2 felonies after discovering an SQL injection that exposed millions of peoples personal voter information. nobody came to his defense. We reported it to the LA times and nobody printed the story. Thanks Uncle Sam, youre a real asshole . Cost 100k to defend him court. The LA County DA office also did no service to voters in actually resolving the exploit, only a bunch of blood hungry cowboys thinking they’re hunting down the next Anon hacker.
Its unethical to prosecute individual with information theft criminal charges without damages. The in CA law was drafted by cops and judges. We need better laws that protect people who report exploits, especially when it comes to government exploits.
You can’t hide a breach in CA. I will have to call BS on your story unless you publish names, case numbers, etc. so that this story can be verified.
I will back up my comment with state law:
https://oag.ca.gov/privacy/databreach/reporting
I refuse to post my personal info on here, but if you really are interested in verifying my story, I can send you the case number and more details. Email me at kiddo.ankh-0n@icloud.com
“discovering an SQL injection that exposed”
This is a very different situation.
Public source code and SQL injection are worlds apart.
It’s always risky business when someone tries for a bug bounty when nobody gives you permission to do explicit attacks like SQLi or XSS. I think every company should have a bug bounty program with responsible disclosure. But if someone tries to hack a system that does not have a bug bounty program in place,… That’s not white hat.
You are 100% correct. I don’t know about you but anyone that has spent the first 15 minutes in an ethical hacking training course has heard, ‘You must get written approval from the RIGHT person (think C-level or owners) to ever pen-test or attempt to hack a resource you don’t own yourself’. Your brother may have had good intentions but an understanding of applicable laws is critical to his future success and potentially unwanted residency in a prison. On the bright side, he probably scored a good job for his pen-testing skills – just hope he continues to use his powers for good – within the law.
I wonder, can this be labeled hacking if the server made the error and sent more data than it is authorized? I assume not. Certainly, the problem is not new, flight booking systems had the same problem and would send all sorts of data and rely on the client to “hide” the data.
New York nursing home Covid scandal comes to mind.
You seem awfully invested in repeating this point Dave. Whataboutism is for people who don’t actually care about the truth.
One political jab for another. Sam couldn’t make it two sentences in his reply without mentioning party affiliation. That is unfortunately the way the world turns nowadays.
The truth is someone got embarrassed about something they may or may not have been responsible for and instead of taking the high road on owning the fix they want to complain about the publicity of the problem. That truth can be found in any company, public, private, or gov.
Party affiliations change over time. Democrats for once the bigoted social conservatives in the South.
In 10 years we may not even recognize this current batch of politician as Republican.
They may be known as a new faction under Trump.
Some people want to be defensive about their political affiliation, that’s fine.
But whatever you want to call it, you cannot deny there is a growing trend of open hostility toward the media and journalism.
Being called the enemy of the people was not just rhetoric, but a battle cry.
Wow, let’s just shoot the messenger, even though they waited until the issue was corrected. Threatening someone who reports a security issue like this is a great way for researchers to not tell anyone and let the site hang itself.
Looks like the “Show Me State” is now the “Don’t Show Me Up State.”
The “Show Source State”
LMAO
Missouri Governor Mike Parson has publicly defamed the St. Louis Post-Dispatch by naming the publication and the reporter who broke the stories as “perpetrators who attempt to steal personal information and harm Missourians,” in an action that would be difficult for him to shield himself under the “duties of his office” in the face of a civil lawsuit.
Certainly the Governor should have consulted a knowledgeable computer expert before publicly laying such charges against the newspaper.
Well at least he’s wasting taxpayer dollars prosecuting a case he’s 100% guaranteed to lose. 🙁
Missouri, you can certainly do better than to elect a GQP dumbskull governor who can’t see the line between this issue and the 1st Amendment protections for the press.
Thanks for sharing this story. The Governor is monumentally wrong on the CFAA, but I’m sure you know that.
A minor but important correction: You wrote that the Gov claimed that “fixing the flaw could cost the state $50 million.” That’s not quite right. He claims that the “incident alone may cost Missouri taxpayers up to $50 million.” I’d guess this number includes an estimate for the legal cost of dealing with the data breach plus any statutory penalties the state might incur.
Well said, Jonathan (“Folks, you should keep the characterization of folks based on political affiliation to a minimum. Stupidity is not restricted in policital (sic) affiliation.”). I was thinking the same. @Sam in Mellen, I also agree with your points. Aside from stupidity not differentiating political affiliation, political affiliation doesn’t (nor should it ever) matter when it comes to computer security and protecting data. Gov. Parson’s response shows he (and his staff or whomever fed or fact-checked his information) is ignorant on this topic as are most elderly people in general, let alone older legislators. This ignorance is certainly not limited to the elderly either. Unfortunately, Gov. Parson’s response is not unique. This happens often in the private sector and not just with vulnerabilities – penetration testing also comes to mind.
When government/bureaucrats focus so much more on punishing those who embarrassed them… rather than humbly utilize constructive criticisms/investigations as genuine opportunities for improvements…
Dear Krebsonsecurity.com
We see that you didn’t have a picture for this story and used a screenshot of the press conference.
Does anyone in the org know how to use a crop tool? We can see the play button.
And that’s a problem because……
This seems like Weev vs ATT again. I hope he doesn’t get his freedom stolen.
Surely someone cannot be this daft.
Right?
Commentariat please let me know: is there any hushed reason why he wants to prosecute the reporter? Like is there something we don’t know about the story? Is the news org covering their ass and we got it twisted? Because I just can’t believe such boastful ignorance.
Does this mean the SSNs are available on the Wayback Machine?
You know this is just sad, I do not care if it is a R, or D state, The fact is. Multiple states, and multiple agencies are just outdated, and have absolutely no desire or care for the personal information of their constituients.
Very true. I feel like this anti journalism and anti science stuff is fairly new now and very scary. The previous president was a role model for going on the attack against both when he didn’t like the narrative. It’s a dangerous path and I worry that we cannot get back to a better place.
I bet the SSNs are there because they are the primary key in the database table.
It does make the best primary key 🙂
Edward Snowden was right!
*sigh* That’s not what a hacker is. There wasn’t any unauthorized access. The dumbass that created the website hardcoded the data in the display code. It won’t cost 50 million to fix in any competent administration. Probably not even in this utterly incompetent one given how they keep strangling necessary infrastructure budgets – unless 49.9 million ends up in crony pockets. Posturing politician got caught with his pants down and rightfully ridiculed when asked about a subject he’s got less than a clue about and started spouting nonsense.