Wednesday, the St. Louis after dispatch ran a story about how its staff discovered and reported a security vulnerability on a Missouri state education website that revealed the Social Security numbers of 100,000 elementary schools and secondary teachers. At a press conference this morning, Missouri Governor Mike Parson (R) said fixing the bug could cost the state $ 50 million and promised that his administration would seek to prosecute and investigate the “hackers” and anyone who helped the publication in its “attempt to harass the state and sell headlines to their news media. . ”
Post-Dispatch says it discovered the vulnerability in a web application that allowed the public to search for teacher certificates and credentials, and that more than 100,000 SSNs were available. State of Missouri Department of Elementary and Secondary Education (DESE) reportedly removed the affected pages from its site on Tuesday after being notified of the issue using the publication (before the story of the bug was published).
The newspaper said it found that the teachers’ social security numbers were contained in the HTML source code of the pages involved. In other words, the information was accessible to anyone with a web browser that also happened to be researching the site’s public code using developer tools or simply right-clicking on the page and viewing the source code.
Post-Dispatch reported that it was not immediately clear how long the social security number and other sensitive information had been vulnerable on the DESE website, nor was it known if anyone had exploited the error.
But at a news conference Thursday morning, Governor Parson said he would try to prosecute and investigate the reporter and the region’s largest newspaper for “illegally” accessing teacher data.
“This administration stands up to all perpetrators who try to steal personal information and harm Missourians,” Parson said. “It is illegal to access encrypted data and systems to investigate other people’s personal information. We coordinate the state’s resources to respond and utilize all available legal methods. My administration has informed the Cole County Attorney on this issue, the Missouri State Highway Patrol’s Digital Forensics Unit will also conduct an investigation of all those involved. This incident alone could cost Missouri taxpayers as much as $ 50 million. “
While threatening to prosecute the journalists to the full extent of the law, Parson tried to downplay the severity of the security vulnerability, saying the reporter only revealed three social security numbers and that “there was no way to decode social security numbers for all educators in the system at once. ”
“The state is obligated to bring anyone who hacked our systems, or anyone who helped them do so, to justice,” Parson continued. “A hacker is a person who gains unauthorized access to information or content. This person was not allowed to do what they did. They had no permission to convert or decode, so this was clearly a hack. ”
Parson said the person reporting the vulnerability “acted against a government agency to compromise teachers’ personal information in an attempt to harass the state and sell headlines to their news media.”
“We will not let this crime against Missouri teachers go unpunished and refuse to let them be a peasant in the newspaper’s political vendetta,” Parson said. “Not only will we hold this person accountable, but we will also hold all those who have helped this person and the media company that employs them accountable.”
In a statement shared with KrebsOnSecurity, a lawyer for St. Louis Post-Dispatch that the journalist made it responsible by reporting its findings to DESE so the state could act to prevent detection and abuse.
“A hacker is someone who undermines computer security with malicious or criminal intent,” said attorney Joe Martineau. “Here there was no breach of any firewall or security and certainly no malicious intent. For DESE to divert its errors by referring to this as ‘hacking’ is unfounded. Fortunately, these errors were discovered. ”
Aaron Mackey is a senior lawyer at the Electronic Frontier Foundation (EFF), a non-profit digital rights group based in San Francisco. Mackey called the governor’s response “vengeful, retaliatory and incredibly short-sighted.”
Mackey noted that Post-Dispatch did everything right, even keeping its history until the state had corrected the vulnerability. He said the governor also attacks the media – which plays a crucial role in helping give voice (and often anonymity) to security researchers who would otherwise be silent under the threat of potential prosecution to report their findings directly to the vulnerable organization.
“It is dangerous and wrong to go after someone who behaved ethically and responsibly in the information sense, but also in the journalistic sense,” he said. “The public had a right to know about their government’s own negligence by building secure systems and dealing with known vulnerabilities.”
Mackey said Governor Parsons’ response to this incident is also unfortunate because it will almost certainly pave the way for anyone else to find and report security vulnerabilities on government websites that unnecessarily expose sensitive information or access. Which also means that such vulnerabilities are likely to eventually be found and exploited by actual criminals.
“Characterizing this as a hack is just wrong on the technical side, as it was the state agency’s own system that pulled this SSN data and made it publicly available on their website,” Mackey said. “And then to react in this way where you do not say ‘thank you’ but actually turn on the reporter and the researchers and go after them … it’s just weird.”