Missouri Gov. Mike Parson on Thursday called for an investigation of a journalist for finding, helping fix and reporting about a vulnerability in a government website that exposed the Social Security numbers of teachers in the state.
Parson said he had notified the Cole County prosecutor and that the Missouri State Highway Patrol was investigating alleged unauthorized access to the website of Missouri’s Department of Elementary and Secondary Education (DESE).
The announcement came after the St. Louis Post-Dispatch reported that a flaw in the website had made it possible for the public to view the Social Security numbers of teachers and administrators across Missouri. The Social Security numbers weren’t clearly visible or searchable on the website itself, but rather in the site’s source code, according to the report. The Post-Dispatch said it waited to publish its report about the flaw until the DESE had fixed the issue. More than 100,000 Social Security numbers were potentially exposed, the newspaper estimated.
Parson nonetheless claimed a crime had been committed and vowed to not let it go “unpunished.”
“Through a multi-step process, an individual took the records of at least three educators, decoded the … source code, and viewed the Social Security number of those specific educators,” Parson alleged at a press conference, without referring to the reporter, Josh Renaud, or newspaper by name.
“Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them,” Parson continued.
Ian Caso, president and publisher of the Post-Dispatch, said in a statement that was shared with CNN Business that the newspaper stands by its reporting and its reporter, “who did everything right.”
“It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to the Department of Elementary and Secondary Education’s attention,” Caso said.
Joe Martineau, an attorney for the newspaper, said “there was no breach of any firewall or security and certainly no malicious intent” in the process of reporting the story.
Many US companies and government agencies have in recent years introduced vulnerability disclosure policies, which encourage good-faith attempts to report cybersecurity flaws so they can be fixed. But experts say the Missouri incident is a reminder that there are still ambiguous or heavy-handed laws that can be used to punish good-faith cybersecurity research.
“If this is a crime, the law is on the wrong side of cybersecurity,” Harley Geiger, senior director of public policy at cybersecurity firm Rapid7, told CNN. “Missouri’s threat to prosecute someone for discovering, validating and privately reporting security vulnerabilities is a misuse of state cybercrime laws and sends the wrong message to people trying to do the right thing.”