Missouri Governor Mike Parson made headlines last year when he vowed to criminally prosecute a journalist for reporting a security flaw in a state website that exposed personal information of more than 100,000 teachers. But Missouri prosecutors now say they will not pursue charges following revelations that the data had been exposed since 2011 — two years after responsibility for securing the state’s IT systems was centralized within Parson’s own Office of Administration.
In October 2021, St. Louis Post-Dispatch reporter Josh Renaud alerted Missouri education department officials that their website was exposing the Social Security numbers of more than 100,000 primary and secondary teachers in the state. Renaud found teachers’ SSNs were accessible in the HTML source code of some Missouri education department webpages.
After confirming that state IT officials had secured the exposed teacher data, the Post-Dispatch ran a story about their findings. Gov. Parson responded by holding a press conference in which he vowed his administration would seek to prosecute and investigate “the hackers” and anyone who aided the publication in its “attempt to embarrass the state and sell headlines for their news outlet.”
“The state is committed to bringing to justice anyone who hacked our systems or anyone who aided them to do so,” Parson said in October. “A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert or decode, so this was clearly a hack.”
Parson tasked the Missouri Highway Patrol to produce a report on their investigation into “the hackers.” On Monday, Feb. 21, The Post-Dispatch published the 158-page report (PDF), which concluded after 175 hours of investigation that Renaud did nothing wrong and only accessed information that was publicly available.
Emails later obtained by the Post-Dispatch showed that the FBI told state cybersecurity officials that there was “not an actual network intrusion” and the state database was “misconfigured.” The emails also revealed the proposed message when education department leaders initially prepared to respond in October:
“We are grateful to the member of the media who brought this to the state’s attention,” was the proposed quote attributed to the state’s education commissioner before Parson began shooting the messenger.
The Missouri Highway Patrol report includes an interview with Mallory McGowin, the chief communications officer for the state’s Department of Elementary and Secondary Education (DESE). McGowin told police the website weakness actually exposed 576,000 teacher Social Security numbers, and the data would have been publicly exposed for a decade.
McGowin also said the DESE’s website was developed and maintained by the Office of Administration’s Information Technology Services Division (ITSD) — which the governor’s office controls directly.
“I asked Mrs. McGowin if I was correct in saying the website was for DESE but it was maintained by ITSD, and she indicated that was correct,” the Highway Patrol investigator wrote. “I asked her if the ITSD was within the Office of Administration, or if DESE had their on-information technology section, and she indicated it was within the Office of Administration. She stated in 2009, policy was changed to move all information technology services to the Office of Administration.”
The report was a vindication for Renaud and for University of Missouri-St. Louis professor Shaji Khan, who helped the Post-Dispatch verify that the security flaw existed. Khan was also a target of Parson’s vow to prosecute “the hackers.” Khan’s attorney Elad Gross told the publication his client was not being charged, and that “state officials committed all of the wrongdoing here.”
“They failed to follow basic security procedures for years, failed to protect teachers’ Social Security numbers, and failed to take responsibility, instead choosing to instigate a baseless investigation into two Missourians who did the right thing and reported the problem,” Gross told The Post-Dispatch. “We thank the Missouri State Highway Patrol and the Cole County Prosecutor’s Office for their diligent work on a case that never should have been sent to them.”
Baltimore, MD, has buried the story on who nuked their networks, but I also expect it was incompetent contractors and/or city management. Ransomware locked Baltimore down tight, and they didn’t pay up. They were down for months, unable to bill for water. Getting back to work cost them big money, far beyond the ransom. The IT head position appeared on LinkedIn months later. THAT would be a good story to bring to light.
Sadly, the governor’s response was the norm just 5-10 years ago. Thankfully now we have bug bounty programs and responsible disclosure procedures that improve security without shooting the messenger.
I think most, if not all of us, in the cybersec world got a pretty good laugh out of this when it first hit the news. The accusations made by Parsons were foolish and exposed an astounding level of incompetence from him and his admin. He wanted this to become a “media did a bad thing” story. This article pretty much confirms it. Hopefully someone there will get the Parsons a Dummies guide to the Internet.
> exposed an astounding level of incompetence
Sadly, the governor did not apologize or issue a corrective statement. Those who live within the Parsons info-silo only know the original story of “Media gone bad”.
Gov Parsons also needs the Dummies Guide to Life In General
Your article would be more accurate if you had noted the Governor in 2011 who’s administration was in office at the time the teacher data was first exposed was Jay Nixon (D) not the current Governor Mike Parson.
Inkblotr, It is irrelevant who was in the office 2011. The relevant parts are a) Parsons office was responsible of the database and the security of the systems since 2009, even though Parson himself was in the office since 2018, and b) Parson and his administration wrongfully accused Renaud and Khan. Now I do not expect that a 67 year old ex-sheriff and gas station owner would be on the edge of the technology, but his advisors should be. This incident reminds me 2010 or thereabouts case where a mayor(?) of a midwest(?) city attacked CentOS maintainers for hijacking the city web pages. That was hilarious. I’m sorry I’ve forgotten the details, but the clue was that city domain redirected to an unconfigured Apache httpd, which in CentOS defaults to, well, default page.
“Please remove your software immediately before I report it to government officials!! I am the City Manager of Tuttle, Oklahoma.” – Jerry Taylor, 2006
@itissnoweverywhere: For a news article (contrary to recent popular beliefs), it is completely relevant to report the accuracy of information. To not report accurate information proves that the integrity of the agency reporting it does not maintain that integrity and is otherwise reporting based upon a bias…or mis-information. Most news agencies today are nothing more than a biased representation of he-said, she-said. I would rather have a news agency just report the news, maintain its integrity, publish updated information, and admit when it needed to be corrected, than to brush past seemingly “benign” information as you have suggested.
The contents of all new articles are based on a series of decisions about which information about the subject is important. That judgement about which info is important IS SUBJECTIVE. Having said that, the subjective decision can be made with an intent to INFORM or PERSUADE or MISLEAD. Inkblotr wanted to include the fact that the Gov when the system was designed and built was a Democrat. He wanted that for (I believe) partisan reasons, not because it’s an important part of informing people. The two significant aspects of this whole situation are that: a) A state govt IT department could be so clueless as to publish SSNs this way more than 10 years ago AND that they still hadn’t rectified the problem and b) The governor was more interested in throwing mud than admitting there was a problem and ensuring that it was fixed (and that effort was put forth to find OTHER problems like this in state systems).
I remember working in a Fortune 500 company in the 90’s, when we had to explain to upper management why using SSNs as user ids was a bad idea and actually against the law.
University of Missouri-St. Louis professor Shaji Khan — I have to wonder if Governor Mike Parson’s motivation for his outrageous response was Republican hate triggered by the Professor’s name. For the vocal public Republican extremists we’re saddled with now, it would not be a surprise if his violent response and his willful lack understanding that nobody hacked anything here is predicated in hate-based Republican racist ideologies which are growing in extremist degrees over the past 30 years in America.
Your Liberal rant holds absolutely no water. I’ve worked as an algorithm encryption developer within a Gov defense agency for over 20 yrs and have had to deal with both sides of pols. One thing has been consistent, not a one them has any idea when it comes to the workings of IT/Cyber structure platforms. Most need an aide to turn on their machines. This clown Parson and his predecessor & fellow clown Nixon have not a clue what a hack is. Leave the GD radical political BS at the doorstep.
Nixon and the IT department can be seen as incompetent. Parson adds malfeasance on top of the incompetence. There is a difference. Your political viewpoint seems to blind you to that fact. Using “radical” as a part of your screed suggests that outside of work, you aren’t very connected to reality.
Sounds like a former President is living in your mind rent-free.
He’s about to be living rent-free himself, as opposed to merely Secret Service landlording.
JP and David sure are snowflakes. Parsons response was all politics and JP and David are too dumb or blind to see it.
Missouri incompetence flows through all levels of Missouri government. Sometimes the stupid is just stronger especially as you go from paid idiots to elected idiots.
What’s your point? Parsons was in charge, Nixon was gone. Why didn’t this get resolved under Parsons? Why did this turn into a national story about the media hacking the government?
Missouri gutted their IT staff and went heavily to contractors. Contractors do not have a vested interest in actually protecting, their job is to increase billable hours, and a breach results in more hours and protecting things.
Missouri Governor Mike Parson is a ignorant ####, in my opinion looking at a website source code amounts to nothing more than the analogy of looking at a schematic of a circuit board .
I wonder if he’ll threaten charges against his office for dereliction of duty.
Living in Overland Park, just a jaunt to the Missouri state line, I am exposed almost daily, mostly via the KC Star, to the incompetence and rank maneuverings of the Show Me State’s political leadership. Thanks, Brian, for providing a deep dive into this affair.
Man. That’s especially painful, coming from a resident of a state that elected Sam Brownback.
“But Missouri prosecutors now say they will not pursue charges following revelations that the data had been exposed since 2011 — two years after responsibility for securing the state’s IT systems was centralized within Parson’s own Office of Administration.”
I think a more accurate way of stating this is :
But Missouri prosecutors now say they will not pursue charges following revelations that the data had been exposed since 2011 — two years after responsibility for securing the state’s IT systems was centralized within the governor’s own Office of Administration. This centralization started during the term of Jay Nixon(D) and lasted through the term of Eric Greitens(R) until discovered by Renaud during the current term of Governor Parson.
Too bad they couldn’t spend that 175 hours finding and fixing other security misconfigurations.
I don’t fault Governor Parson for not knowing / understanding the internet much less information security. I DO fault his poor selection of advisers, who should have told him to cool it at the outset, and/or his arrogance in not listening to the good advice he did get (“We are grateful to the member of the media who brought this to the state’s attention”)
Mel Brooks couldn’t write a better script. Well, yes he could…
A Mel Brooks movie showcasing Missouri? Oh man, that will be a riot! So much material and characters to draw upon. A friend and I are discussing who would play Parsons (almost everybody, apparently. Pa dum dum). And Nixon. And Greitens. It is kind of fun. But like the story of the Trump era, there is no happy ending. Well, maybe for Greitens. At least he is single now. I guess that decision to stay together and be a family (I guess getting married and having children did not qualify for Eric) after getting fired as Governor had an expiration date, huh? Gotta be in the film. I can’t wait. Somebody please tell Mr. Brooks about this idea.
People get the leaders they deserve.
I appreciate the information and advice you have shared.
I’m no web developer but even with my limited experience I can’t help but wonder how something that should be queried in a database ends up in html! Lazy or am I missing something?
Well done, like usual. And as usual my comments are about the commenters. Do or did the people of Missouri deserve this? Or did the political leaders foist it upon them. I’m really surprised it took that long for someone to look at the database. I wonder what lead them to it? Or what newsworthy item they were investigating. And what other problems are yet to be discovered. Yes, poke fun at Missouri, but where were the database administrators trained at? Didn’t they get their security training elsewhere? Even Missouri colleges cover that, along with police groups, and small business groups. And contractors, some are good, some are there to take the money. And it’s usually better money then the old employees were making. And don’t blame the Dems, when was Missouri’s last democratic house or Senate? I don’t remember one.
As a former MO resident, all I can say is MO used to use SSNs as driver license #. The rank stupidity and incompetence of MO government has been in place for decades.
From Parsons to “Legitimate Rape” Todd Aikens (https://www.cbsnews.com/news/todd-akin-legitimate-rape-dead-74/), the streak of stupidity/racism that runs through MO politics is nothing short of astounding.
Stupid conservatives, always wanting to punish the whistle blower but never themselves for making these problems.
Good conversation and reporting as usual by Mr. Krebs.
I am reading the report in detail and haven’t finished. In supplement 3, it’s stated they run a static vulnerability scan against the code base.and they didn’t see the vulnerability. I would not expect a code scan to catch this problem. I didn’t see any mention yet of any scheduled penetration testing, which I would expect to catch it.
The capability to view the web page content has been built into every browser for decades. Why would a governor get involved in this?
Gentlemen, we have to protect our phony-baloney jobs, harumph, harumph. I didn’t get a harumph out of you!
Give the governor a harumph.
Watch your …..
Thanks for bringing the comments full circle, well played!
the governor reminds me of a commercial is saw a while back…
CEO behind his big desk says: “With this new development we are really going to stick it to the Man!”
His assistant replies: “But sir you are the MAN! “
Ignorant Governor needs to hold a press conference and publicly wipe the dog crap off his face.
Hello everyone, it’s my first visit at this website, and piece of writing is eid ul fitr in support of me, keep up posting these content.