Missouri Governor Threatens Journalist Over Exposed State Data

Missouri Governor Faces Criticism Over Journalist Threat

Missouri’s Governor Mike Parson is currently contending with significant public disapproval following threats to prosecute a journalist for their responsible disclosure of a critical security vulnerability present on a state website.

Security Flaw and Initial Reporting

Josh Renaud, a reporter with the St. Louis Post-Dispatch, recently revealed that the website of the Department of Elementary and Secondary Education (DESE) was inadvertently exposing the Social Security numbers of over 100,000 teachers. This sensitive data was accessible by examining the HTML source code of the site’s webpages.

Accessing this source code is a straightforward process, often achieved by simply right-clicking on a webpage and selecting “view page source,” or by using the F12 key on a keyboard.

The Post-Dispatch initially informed state officials about the vulnerability, allowing them time to address the issue before publishing a detailed report. The DESE has confirmed that the “educator certification search tool was disabled immediately” and the flaw has since been rectified.

Governor’s Controversial Response

Instead of expressing gratitude for the newspaper’s discovery and proactive notification, Governor Parson characterized the journalist as a “hacker” and suggested the newspaper deliberately sought to discredit the state.

During a press conference on Thursday, he stated, “A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did.” He further asserted that the journalist was not a victim, but rather acted to compromise teachers’ personal information and generate sensationalized news coverage.

Governor Parson declared the state’s commitment to pursuing legal action against anyone involved in the alleged “hacking” and those who assisted them, and has subsequently referred the matter to county prosecutors.

Widespread Condemnation

The governor’s reaction and his apparent misinterpretation of the term “hacker” have drawn criticism from various sources, including members of his own political party.

Republican lawmaker Tony Lovasco commented on Twitter, stating that the governor’s office demonstrates “a fundamental misunderstanding of both web technology and industry-standard procedures for reporting security vulnerabilities.” He emphasized that responsible reporting of data privacy concerns by journalists should not be equated with criminal hacking.

U.S. Senator Ron Wyden also voiced his disapproval, tweeting that “Journalism isn’t a crime. Cybersecurity research isn’t either. Real leaders don’t unleash their attack dogs on the press when they expose government failures, they roll up their sleeves and fix the problem.”

Cybersecurity Experts Weigh In

Professionals in the cybersecurity field have also offered their perspectives on the governor’s statements. Rachel Tobac, a hacker and CEO of SocialProof Security, noted that if code leaks personal data through readily accessible development tools, it represents a significant data leak issue, not a hacking incident.

Newspaper Stands by its Reporter

The Post-Dispatch is defending Renaud’s actions, asserting that he “did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse.”

The newspaper clarified that a hacker acts with malicious intent to compromise computer security, which was not the case here. It further stated that DESE’s attempt to label the situation as “hacking” is unsubstantiated.

Legal Implications and Potential Impact

Despite Governor Parson’s vow to hold the Post-Dispatch “accountable,” the likelihood of Renaud facing a successful conviction appears low, particularly in light of the U.S. Supreme Court’s recent ruling in Van Buren v. United States. This ruling established that accessing information one is not otherwise authorized to access constitutes a legal violation.

However, pursuing legal action could discourage journalism and security research, potentially leading to increased legal threats and attacks against researchers who identify and report security flaws.