Oct 15, 2021 - Politics & Policy

Missouri gov. threatens newspaper that notified state of web data flaw

Parson

Photo: Jacob Moscovitch/Getty Images)

Missouri Gov. Mike Parson (R) on Thursday suggested he was prepared to prosecute the staff of the St. Louis Post-Dispatch after the newspaper published a story exposing a data risk on the state education department's website.

Driving the news: The Post-Dispatch notified the state Tuesday after discovering the vulnerability, which left the Social Security numbers of 100,000 staffers vulnerable to public disclosure. Parson's remarks Thursday echoed the rhetoric of a statement by the department, describing the reporter as a "hacker."

Be smart: The newspaper said the private information was not clearly visible or searchable, but was instead in the HTML source code of the pages in question. HTML source code is publicly available to anyone with a web browser.

At a news conference Thursday, Parson said the "individual" who alerted the state had gotten the private information through a "multi-step process," and that they were trying to “embarrass the state and sell headlines for their news outlet."

  • "The state is committed to bring to justice anyone who hacked our system and anyone who aided and abetted them to do so," Parson said.
  • "Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them."

The Post-Dispatch disputed Parson's characterization, citing University of Missouri-St. Louis cybersecurity professor Shaji Khan, who noted that the content was encoded but not encrypted, so it could be seen without a decryption key.

  • “We stand by our reporting and our reporter who did everything right. It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to DESE’s attention,” Post-Dispatch Publisher Ian Caso said Thursday.

Worth noting: The newspaper notified the department of their findings before publishing the story, giving the department time to remove the webpages that contained the exposure.

Go deeper