Missouri Gov. Mike Parson on Thursday accused a newspaper reporter who discovered a data exposure on a state agency’s website with “hacking” sensitive data. The governor then threatened the reporter and his colleagues with criminal and civil prosecution, despite the fact that the reporter appeared to follow the rules of ethical vulnerability disclosure.
The St. Louis Post-Dispatch reported this week that a website maintained by the state’s Department of Elementary and Secondary Education, or DESE, inadvertently exposed the personal information of public-school employees across Missouri, including teachers, administrators and guidance counselors. The reporter, who is also a web developer at the paper, discovered that the site’s search tool for educators’ professional credentials was making more than 100,000 Social Security numbers accessible.
While the search tool did not display the sensitive data on published web pages, the reporter found that the tool’s HTML source code — a document readily accessible from any internet browser — included the Social Security numbers. The Post-Dispatch confirmed the exposure with a professor at the University of Missouri-St. Louis and also notified DESE of its findings before publishing its story, giving the agency an opportunity to update the search tool and scrub the Social Security numbers from the source code.
A ‘common’ flaw
“It sounds like a very common type of vulnerability on websites,” said Katie Moussouris, the CEO of Luta Security and a longtime researcher who developed the international standards for vulnerability disclosures. “You go to a web page designed to let you look something up, and the web page shows you what you need to see — maybe just the name of the teacher — but they embedded a lot more information from the backend database.”
Although DESE updated the website Tuesday, Parson began his day Thursday by tweeting that he would address “the recent hacking” of the education agency. At an appearance in Jefferson City, the governor tore into the Post-Dispatch’s report, accusing the paper of a high-level hacking effort.
“Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code and viewed the Social Security numbers of those specific educators,” Parson said. “We also do not know why this individual seeking to access, convert and take personal information from Missouri teachers. Let me be clear: This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians.”
Parson also accused the Post-Dispatch of attempting to humiliate his administration.
“This was clearly a hack. They were acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet,” Parson said. “We will not let this crime against Missouri teachers go unpunished, and we refuse to let teachers be a pawn in the news outlet’s political vendetta.”
Parson said he was referring the incident to state prosecutors and the Missouri State Highway Patrol’s digital forensics laboratory for an investigation he said could cost $50 million.
“We stand by our reporting and our reporter who did everything right,” Ian Caso, the Post-Dispatch’s president and publisher, said in an emailed statement. “It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to the Department of Elementary and Secondary Education’s attention.”
‘Five stages of grief’
Despite the governor’s hyperbole, Moussouris said that kind of reaction is quite common.
“It’s part of what I call the five stages of vulnerability response grief, and they seem to be in the anger phase,” she said. “It was conflating the act of discovering the vulnerability, privately reporting it, getting it fixed, which all occurred. It is this kind of misunderstanding that can be very dangerous.”
By threatening legal action against an ethically reported vulnerability, Moussouris said Parson is making Missouri less safe by creating a chilling effect that could dissuade other researchers from sharing future discoveries.
“Going after security researchers with lawsuits and threats is the fastest way to weak security,” she said. “Organizations that want to have good security outcomes welcome researchers who report vulnerabilities.”
And that’s a courtesy that Moussouris said extends to journalists.
“According to the [International Organization for Standardization] standards, the reporter is just the person who reports the vulnerability,” she said. “It doesn’t matter if the person is a journalist or self-declared security researcher or state employee.”
‘This isn’t elite’
The episode may also be indicative of the state’s priorities in application development. Security, Moussouris said, needs to be built in “from the ground up” so that, at a minimum, sensitive data isn’t published online.
“All you need to do is right-click,” she said. “This isn’t elite hacking.”
If Parson’s push for a costly, extended investigation into the Post-Dispatch pans out, though, Moussouris said the newspaper will have plenty of defenders.
“If it does go to the point of an actual case, the defense will need witnesses, and they can choose from many, but if they need someone who wrote the ISO standards, I’m right here,” she said. “Journalists have been through so much, you don’t need legal threats for pointing out vulnerabilities.”