Missouri gov slams paper for uncovering data security flaw

JEFFERSON CITY, Mo. (AP) — Republican Gov. Mike Parson connected Thursday condemned 1 of Missouri’s largest newspapers for exposing a flaw successful a authorities database that allowed nationalist entree to thousands of teachers’ Social Security numbers, adjacent though the insubstantial held disconnected from reporting astir the flaw until aft the authorities could hole it.

Parson told reporters extracurricular his Capitol bureau that the Missouri State Highway Patrol’s integer forensic portion volition beryllium conducting an probe “of each of those involved” and that his medication had spoken to the authoritative successful Cole County, which includes the authorities capital, Jefferson City. He didn’t elaborate arsenic to what helium meant by “involved” oregon whether investigators would beryllium looking into whether the St. Louis Post-Dispatch broke the instrumentality during the people of its reporting connected the information vulnerability.

The Post-Dispatch broke the news about the information flaw connected Wednesday. The paper said it discovered the vulnerability successful a web exertion that allowed the nationalist to hunt teacher certifications and credentials.

The Department of Elementary and Secondary Education removed the pages from its website connected Tuesday aft being told astir the contented by the Post-Dispatch, which said it gave the authorities clip to hole the occupation earlier it published its story.

The Post-Dispatch estimated that much than 100,000 Social Security numbers were vulnerable, based connected wage records and different data. It recovered that the schoolhouse workers’ Social Security numbers were successful the HTML root codification of the pages involved.

“The authorities is unaware of immoderate misuse of idiosyncratic accusation oregon adjacent whether accusation was accessed inappropriately extracurricular of this isolated incident,” the DESE said successful a quality release.

Though the Post-Dispatch alerted the bureau to the occupation and held disconnected connected the story, the agency’s quality merchandise called the idiosyncratic who discovered the vulnerability a “hacker” — an evident notation to the newsman — who “took the records of astatine slightest 3 educators.” The bureau didn’t elaborate arsenic to what it meant by “took the records” and it declined to sermon the contented further than what it said successful its quality merchandise erstwhile reached by The Associated Press.

Source codes are accessible by right-clicking connected nationalist webpages.

The newspaper’s president and publisher, Ian Caso, said successful a connection that the Post-Dispatch stands by the communicative and the reporter, who helium said “did everything right.”

“It’s regrettable the politician has chosen to deflect blasted onto the journalists who uncovered the website’s occupation and brought it to the Department of Elementary and Secondary Education’s attention,” Caso said.

Parson besides suggested that the newsman someway broke the law.

“This idiosyncratic is not a victim,” Parson told reporters. “They were acting against a authorities bureau to compromise teachers’ idiosyncratic accusation successful an effort to embarrass the authorities and merchantability headlines for their quality outlet. We volition not fto this transgression against Missouri teachers spell unpunished.”

Peter Swire, a cyber instrumentality adept and prof astatine the Georgia Institute of Technology’s School of Cybersecurity and Privacy, said flagging information vulnerabilities connected publically accessible websites is simply a “public service” and is “clearly not transgression nether national law.”

“Right clicking does not number arsenic transgression hacking,” Swire said.

Joseph Martineau, an lawyer for the Post-Dispatch, said successful a connection that the newsman “did the liable happening by reporting his findings to DESE truthful that the authorities could enactment to forestall disclosure and misuse. A hacker is idiosyncratic who subverts machine information with malicious oregon transgression intent. Here, determination was nary breach of immoderate firewall oregon information and surely nary malicious intent.”

“For DESE to deflect its failures by referring to this arsenic ‘hacking’ is unfounded,” Martineau said.

Jean Maneke, an lawyer for the Missouri Press Association, said she doubted immoderate justice “would let this to proceed precise far.”

“Clearly the Post-Dispatch warned the authorities of this issue,” Maneke said. “There’s nary grounds of immoderate transgression oregon malicious intent successful the act. There’s nary effort to bargain information. There’s nary ground for him (Parson) to accidental there’s immoderate benignant of amerciable enactment from the Post-Dispatch.”

Byron Clemens, a spokesperson for AFT St. Louis, Local 420, said the teachers national isn’t alert of immoderate educators’ accusation being misused.

“But we are acrophobic implicit the effort to deflect work and politicize what is precise evidently a information breach by the state,” Clemens said successful a statement.

Meanwhile, Parson said the authorities volition code information issues raised by the newspaper’s reporting.

“We are moving to fortify our information to forestall this incidental from happening again,” Parson said. “The authorities is owning its part, and we are addressing areas successful which we request to bash amended than we person done before.”