Missouri Gov. Parson targets St. Louis newspaper for prosecution after report on state’s security vulnerability

·5 min read

Missouri Gov. Mike Parson on Thursday announced he had referred the St. Louis Post-Dispatch and its reporters for criminal prosecution after the newspaper revealed a security vulnerability it discovered on a state agency’s website.

Parson delivered a thunderous condemnation of the newspaper’s examination of three Social Security numbers that could have been publicly accessible from a website maintained by the Department of Elementary and Secondary Education, or DESE.

The announcement marked an extraordinary attack on one of Missouri’s major newspapers and a broadside at the newsgathering process at a time when former President Donald Trump and other Republicans have demonized the news media and labeled accurate reporting “fake news.”

The Post-Dispatch has said it promptly informed DESE after discovering the vulnerability and delayed publication to give the state time to fix the problem.

“This individual is not a victim,” Parson, a Republican, said. “They were acting against the state agency to compromise teachers in an attempt to embarrass the state and sell headlines for their news outlet.”

Parson’s decision to lash out marks a new low in his relationship with the news media, which has often been rocky during the pandemic. He faced reporting over no-bid contracts, his refusal to impose mask mandates and early stumbles in the rollout of the vaccine. He has bristled at unfavorable reporting and singled out The Star, the Post-Dispatch and the Missouri Independent for criticism over their reporting on COVID-19.

During a hastily called appearance Thursday morning, Parson accused the Post-Dispatch of being motivated by a “political vendetta.” He didn’t take questions and ignored shouted inquiries about how finding the vulnerability on a publicly viewable website constituted a crime.

He blamed the newspaper for spurring an investigation that he said would cost Missouri taxpayers “as much as $50 million.” Asked to substantiate that claim, his spokeswoman Kelli Jones said the state would do so “eventually.”

Parson said his office referred the matter to the Cole County Prosecuting Attorney and the Missouri State Highway Patrol’s digital forensic unit. He also mentioned the possibility of civil lawsuits against the paper.

“This situation is being investigated by the Missouri State Highway Patrol’s Division of Drug and Crime Control. Once the investigation is complete, I will review the evidence and determine whether criminal charges are appropriate,” Cole County Prosecuting Attorney Locke Thompson, a Republican, said in an email.

Jean Maneke, an attorney for the Missouri Press Association, said there was no evidence the newspaper was attempting to steal personal information and stressed that it had brought its findings to DESE.

“There’s never been any criminal prosecution of a newspaper for this ever,” Maneke said. “But it’s not at all unusual for embarrassed public officials to proclaim that this is a newspaper’s fault when they’ve been caught with their pants down.”

A story published Wednesday night by the Post-Dispatch described how more than 100,000 Social Security numbers of teachers and other education department employees could have been publicly accessible because of a vulnerability on a website maintained by DESE.

“The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse,” the newspaper’s attorney, Joseph Martineau, said in a statement for its story. “A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent.

“For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”

The Post-Dispatch reported that it found that the Social Security numbers of teachers were contained in the HTML source code of pages linked to a tool that allows the public to search teacher certifications and credentials. The database contained Social Security numbers so school district officials could verify they are checking the correct teachers’ credentials, according to the state’s Office of the Administration, whose IT division maintains the site. The newspaper said it delayed publication of the story to give DESE time to address the vulnerability and search for weaknesses on other agency sites.

HTML source code is publicly available to anyone with a web browser and essentially acts as the infrastructure underneath what someone sees when they visit a website.

But DESE labeled the individual who discovered the vulnerability a “hacker” who took the records of at least three educators. The Post-Dispatch reported that after it confirmed the numbers were Social Security numbers, it informed the department. OA then had the website “disabled immediately by removing public access to the system and updating the code to repair the vulnerability,” the state said.

The Missouri State Teachers Association said it was notified by DESE in a letter late Wednesday of the data vulnerability.

Parson called the discovery an unauthorized access of “encoded” data that “had to be converted and decoded in order to be revealed.”

The individual wasn’t identified in the story, but other Post-Dispatch employees have named him as Josh Renaud, who wrote the article.

“In the finest tradition of public interest journalism, the Post-Dispatch discovered a problem – one publicly discernible to anyone who bothered to look; it verified the problem with experts; and it brought the problem to the attention of state officials for remedial action,” House Minority Leader Crystal Quade, a Springfield Democrat, said. “The governor should direct his anger towards the failure of state government to keep its technology secure and up to date and to work to fix the problem, not threaten journalists with prosecution for uncovering those failures.”