Missouri Governor Accuses Newspaper of “Hacking” State Website


Written by Benjamin Freed

Missouri Governor Mike Parson on Thursday accused a newspaper reporter of discovering data exposure on a government agency website that “hacked” sensitive data. The governor then threatened the reporter and his colleagues with criminal and civil prosecution, even though the reporter appeared to be following ethical disclosure rules.

The St. Louis Post-Dispatch reported this week that a state Department of Elementary and Secondary Education (DESE) website accidentally disclosed the personal information of public school employees across Missouri, including teachers, administrators and career counselors. The reporter, who is also a web developer at the newspaper, found that the website’s search tool for the professional credentials of educators exposed more than 100,000 social security numbers.

While the search tool did not display the sensitive data on published web pages, the reporter found that the tool’s HTML source code – a document easily accessible from any Internet browser – contained the social security numbers. The post-dispatch confirmed the exposure with a professor at the University of Missouri-St. Louis and informed DESE of its findings before releasing its story, which gave the agency the option to update the search tool and remove the social security numbers from the source code.

A “common” mistake

“That sounds like a very common type of vulnerability on websites,” said Katie Moussouris, CEO of Luta Security and longtime researcher who developed the international standards for vulnerability disclosure. “You go to a webpage that allows you to look up something and the webpage shows you what to see – maybe just the teacher’s name – but they have a lot more information embedded from the backend database.”

Although DESE updated the website on Tuesday, Parson started his day on Thursday by tweeting that he would address “the recent hacking” by the education authority. During a performance in Jefferson City, the governor tore into the Post-Dispatch report and accused the newspaper of a high-level hacking attack.

“In a multi-step process, one person took the records of at least three educators, decoded the HTML source code, and looked at the social security numbers of those particular educators,” Parson said. “We also don’t know why this person is trying to access, convert, and inherit personal information from teachers in Missouri. Let me be clear: This government is against any perpetrator who tries to steal personal information and harm Missourians. “

Parson also accused the Post-Dispatch of trying to humiliate his government.

“That was clearly a hack. They took action against a government agency to compromise teachers’ personal information, embarrass the state and sell headlines for their news agency, ”Parson said. “We will not allow this crime against teachers in Missouri with impunity, and we refuse to allow teachers to be pawns in the news agency’s political revenge.”

Parson said he forwarded the reporting to prosecutors and the Missouri State Highway Patrol’s digital forensics lab to investigate an incident that he said could cost the state $ 50 million.

“We stand by our coverage and our reporter who got it right,” said Ian Caso, President and Editor of Post-Dispatch, in a statement emailed. “It is unfortunate that the governor has decided to shift the blame on the journalists who discovered the problem with the website and brought it to the attention of the Department of Elementary and Secondary Education.”

“Five phases of grief”

Despite the governor’s exaggeration, Moussouris said this type of response was quite common.

“It’s part of what I call the five stages of vulnerability response grief, and they seem to be in the anger phase,” she said. “It was the merging of the discovery of the vulnerability, the private reporting and the fix, which all happened. It’s that kind of misunderstanding that can be very dangerous. “

By threatening legal action against an ethically reported vulnerability, Moussouris said, Parson is making Missouri less secure by creating a chilling effect that could deter other researchers from sharing future discoveries.

“Following up security researchers with lawsuits and threats is the quickest route to weak security,” she said. “Organizations that want good security scores welcome researchers who report vulnerabilities.”

And that’s a courtesy Moussouris said extends to journalists.

“According to [International Organization for Standardization] By standards, the reporter is just the person reporting the vulnerability, ”she said. “It doesn’t matter whether it’s a journalist, a self-appointed security researcher or a government employee.”

“This is not an elite”

The episode can also be an indication of the state’s priorities in application development. According to Moussouris, security must be built in “from scratch” so that at least sensitive data is not published online.

“All you have to do is right-click,” she said. “This is not elite hacking.”

However, if Parson’s insistence on a costly, expanded post-dispatch investigation succeeds, Moussouris said the newspaper will have many defense attorneys.

“When it really comes down to a specific case, the defense needs witnesses and they have many to choose from, but if they need someone who wrote the ISO standards, I’m here,” she said. “Journalists have been through so much, you don’t need legal threats to point out vulnerabilities.”


About Author

Leave A Reply