Missouri governor threatens criminal prosecution of reporter who found security flaw in state site

The paper agreed to hold off publishing until the problem was fixed. But that didn't matter to GOP Gov. Mike Parson

Published October 14, 2021 5:24PM (EDT)

Missouri Gov. Mike Parson (Getty Images)
Missouri Gov. Mike Parson (Getty Images)

This article originally appeared on AlterNet.

Earlier this week, a reporter for the St. Louis Post-Dispatch notified Missouri's state government that a website maintained by the Missouri Department of Education had a security flaw — one that made the private information of teachers and education administrators, including their Social Security numbers, vulnerable. And the Post-Dispatch agreed to hold off on publishing information about that site's vulnerability while the problem was being addressed. But Missouri Gov. Mike Parson, according to Missouri Independent reporter Jason Hancock, is now railing against the Post-Dispatch, calling the reporter a "hacker" and threatening criminal prosecution.

At a press conference, Parson told reporters, "The state does not take this matter lightly…. This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians."

The Missouri Department of Education, according to Hancock, removed the web pages that were problematic after being informed of the problem by the Post-Dispatch.

Want a daily wrap-up of all the news and commentary Salon has to offer? Subscribe to our morning newsletter, Crash Course.

Hancock reports, "The Post-Dispatch discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials. The Department removed the affected pages from its website Tuesday after being notified of the problem by the Post-Dispatch. Based on state pay records and other data, more than 100,000 Social Security numbers were vulnerable. The newspaper delayed publishing this report to give the Department time to take steps to protect teachers' private information, and to allow the state to ensure no other agencies' web applications contained similar vulnerabilities."

Hancock notes that although "no private information was clearly visible nor searchable on any of the web pages," the Post-Dispatch "found that teachers' Social Security numbers were contained in the HTML source code of the pages involved."

According to Hancock, "The newspaper asked Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis, to confirm the findings. He called the vulnerability 'a serious flaw.'"

By Alex Henderson

MORE FROM Alex Henderson