Missouri governor threatens legal action against journalist who exposed data leak

Missouri Governor Mike Parson is threatening to prosecute a journalist who exposed a serious flaw on a state website that exposed Social Security numbers of state employees.

As exposed by Josh Renaud of the St. Louis Post-Despatch, the data breach involves a website maintained by Missouri’s Department of Elementary and Secondary Education. The exposed details are described as coming via a “web application” the public uses to search for teacher certifications and credentials.

Using the website, Renaud was able to identify more than 100,000 Social Security numbers. Emphasizing how bad the exposure was, the SSNs were contained in the HTML source code of the pages involved. Typically, it may have been a database security issue or similar, but in this case, the state put the details in the website’s source code.

Renauld noted that the St. Louis Post-Despatch did not go public with the discovery immediately to give the department time to rectify the situation. The department has, and that’s where the story would typically end, except for Parson (pictured).

Noting again that the personally identifiable information was embedded in the HTML of the department’s website and was as easy to access as clicking on “view source code” in a browser, the governor is, nonetheless, threatening the journalist.

The governor’s entire Facebook post on the matter is surreal, and that’s being polite.

“It is unlawful to access encoded data and systems in order to examine other people’s personal information and we are coordinating state resources to respond and utilize all legal methods available,” the governor wrote. “This incident alone may cost Missouri taxpayers up to $50 million and divert workers and resources from other state agencies. This matter is serious. The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them — in accordance with what Missouri law.”

The governor added that the matter had been referred to the Cole Country Prosecutor for action, despite the fact that no one hacked anything.

“This situation underscores how much ground we need to cover to protect security researchers that operate in the public good, and redirect outrage away from the discovery of vulnerabilities and data loss towards the root causes of why these security failures continue to occur to the detriment of individual safety,” Tim Wade, technical director, CTO Team at cybersecurity company Vectra AI Inc., told SiliconANGLE. “Courts recognize limits to protections from unlawful search when activities occur clearly in a public context. It’s hard to imagine that the low-technical sophistication of the behaviors described, with a tool as common as a web browser, constitutes anything but the digital equivalent of observations made in a public context.”

Jake Williams, co-founder and chief technology officer at incident response firm BreachQuest Inc., noted that threatening a reporter with legal action is almost always a bad idea and usually creates an unintended Streisand effect.

“This is certainly not hacking in any sense of the word,” Williams explained. “It appears that the reporter used a publicly available web application intended to facilitate searching for teacher certifications. When the results were displayed, the reporter simply viewed the source code of the web page and found the Social Security numbers.”

John Bambenek, principal threat hunter at information technology and security operations company Netenrich Inc., was more scathing.

“Throughout human history, emperors have responded to those telling them they were wearing no clothes by lashing out in anger at the audacity of those who’d dare say such a thing,” Bambenek. “Life would be better if they, you know, just put on pants.”

Bambenek added that government leaders should be thanking people who notify government of problems, not threatening them. “I’m sure every actual criminal hacker on the planet noticed this tirade and you can bet their adjusting their targeting accordingly,” he said.

Photo: Office of Missouri Governor/Wikimedia Commons