By Summer Ballentine and Jim Salter | Associated press
JEFFERSON CITY, Mo. — Republican Government Mike Parson on Thursday denounced one of Missouri’s largest newspapers for exposing a flaw in a state database that allowed public access to the Social Security numbers of thousands of teachers, although the paper did not report on the matter. flaw until the government fixes it.
Parson told reporters outside of his Capitol office that the Missouri State Highway Patrol’s digital forensic unit will conduct an investigation “on all persons involved,” and spoke to the prosecutor in Cole County, whose administration includes the state capital, Jefferson City. What do you mean by “included” or what inspectors’ St. Louis Post-Dispatch did not disclose whether it would investigate whether it broke the law during its reporting of the data vulnerability.
Post-Dispatch broke the news about the vulnerability on Wednesday. The newspaper said it discovered a vulnerability in a web application that allowed the public to search for teacher certificates and credentials.
The Department of Primary and Secondary Education removed pages from its website on Tuesday after being briefed on the matter by Post Post, saying it gave the state time to address the issue before publishing its story.
Post Submission estimated that more than 100,000 Social Security numbers were vulnerable, based on payment records and other data. He found that the Social Security numbers of the school employees were in the HTML source code of the relevant pages.
DESE said in a statement, “The state is unaware of the misuse of individual information or whether the information was accessed inappropriately other than in this individual event.”
While Post Submission alerted the agency to the problem and delayed the story, the agency’s newsletter called the person who discovered the vulnerability a “hacker” — a clear reference to the reporter — who “received the recordings of at least three educators.” The agency did not elaborate on what it meant by “received the records,” and declined to discuss the matter further than it said in a news release reached by the Associated Press.
Source codes can be accessed by right-clicking on public web pages.
The newspaper’s president and publisher, Ian Caso, said in a statement that Post-Dispatch stood by the news and said the reporter “did everything right”.
“It is regrettable that the Governor chose to place the blame on the journalists who exposed the website’s problem and brought it to the attention of the Ministry of Primary and Secondary Education,” Caso said.
Parson also suggested that the reporter had somehow broken the law.
“This person is not a victim,” Parson told reporters. “They were acting against a government agency to endanger teachers’ personal information in order to embarrass the government and make headlines for news outlets. We will not allow this crime against Missouri teachers to go unpunished.”
Peter Swire, a cyberlaw expert and professor at the Georgia Institute of Technology’s School of Cybersecurity and Privacy, said that flagging vulnerabilities on publicly accessible websites is a “public service” and “explicitly not a crime under federal law.”
“Right-clicking does not count as a criminal attack,” Swire said.
Post-Dispatch’s attorney, Joseph Martineau, said in a statement that the reporter “did what was responsible by reporting his findings to DESE so that the state could take action to prevent disclosure and abuse.” A hacker is someone who breaks computer security with malicious or criminal intent. There were no firewalls or security breaches here, and absolutely no malicious intent.”
“It is unfounded for DESE to deflect their failures by calling it ‘hacking’,” Martineau said.
Missouri Press Association attorney Jean Maneke said she doubted any judge would “let this go too far”.
“Obviously Post Dispatch warned the status of this issue,” Maneke said. “There is no evidence of any crime or malicious intent in the action. No attempt to steal information. There is no basis for him (Parson) to say that there were any illegal acts from Post Post.”
Local 420, AFT St. Louis’ spokesman, Byron Clemens, said the teachers’ union was not aware of any educators’ information being misused.
“However, we are concerned about the government’s attempt to divert responsibility and politicize what is so clearly a breach of security,” Clemens said in a statement. Said.
Meanwhile, Parson said the state would address security issues raised by the newspaper’s reports.
“We are working to strengthen our security to prevent this incident from happening again,” Parson said. “The state is taking its share and we are addressing areas where we need to do better than we did before.”
Reported from Salter, O’Fallon, Missouri.