Journalists for the St. Louis Post-Dispatch who discovered a severe privacy problem in the coding of the Department of Elementary and Secondary Education (DESE) website are still being treated as “hackers” by the Governor of Missouri.
All the journalists did was right click and select “view source” of the page.
It was here that they could see the website had exposed the social security numbers of teachers. Gov. Mike Parson insists that the journalist is a hacker and should be prosecuted.
The St. Louis Dispatch-Post followed the ethical disclosure best practices. It got evidence of the vulnerability, alerted the state to the problem, and did not publish the story about the vulnerability until it had been patched.
DESE initially thanked the journalists for alerting them to the problem.
However, Gov. Parson has been insisting that the journalists were hackers and ordered the Missouri Highway Patrol to investigate them. He has doubled down on his calls for the prosecution of the journalists by calling any reporting in support of the journalists “the fake news.”
According to the FBI, the incident was “not an actual network intrusion.”
Earlier this week, Highway Patrol said it had completed its investigation and had surrendered its findings to prosecutors.
“The investigation has been completed and turned over to the Cole County Prosecutor’s office,” Capt. John Hotz said, speaking to the Post-Dispatch.
Addressing the issue on Wednesday, Gov. Parson was optimistic that the journalists who exposed the vulnerability will be prosecuted.
The governor explained: “If somebody picks your lock on your house — for whatever reason, it’s not a good lock, it’s a cheap lock or whatever problem you might have — they do not have the right to go into your house and take anything that belongs to you.”
The governor doesn’t appear to understand that the journalists didn’t breach any security system and that the private data was openly published to the page. This was the original problem the journalists were trying to highlight. It wasn’t locked at all. It was published and available to the public.
The information was left open in the HTML code. Someone could land on the SSNs without any advanced hacking prowess and bots could easily scrape the data as it was public.