On Wednesday, the St. Louis Publish-Dispatch ran a narrative about how its workers found and reported a safety vulnerability in a Missouri state schooling web site that uncovered the Social Safety numbers of 100,000 elementary and secondary lecturers. In a press convention this morning, Missouri Gov. Mike Parson (R) mentioned fixing the flaw may price the state $50 million, and vowed his administration would search to prosecute and examine the “hackers” and anybody who aided the publication in its “try and embarrass the state and promote headlines for his or her information outlet.”
The Publish-Dispatch says it found the vulnerability in an online utility that allowed the general public to look instructor certifications and credentials, and that greater than 100,000 SSNs had been obtainable. The Missouri state Division of Elementary and Secondary Training (DESE) reportedly eliminated the affected pages from its web site Tuesday after being notified of the issue by the publication (earlier than the story on the flaw was printed).
The newspaper mentioned it discovered that lecturers’ Social Safety numbers had been contained within the HTML supply code of the pages concerned. In different phrases, the knowledge was obtainable to anybody with an online browser who occurred to additionally study the positioning’s public code utilizing Developer Instruments or just right-clicking on the web page and viewing the supply code.
The Publish-Dispatch reported that it wasn’t instantly clear how lengthy the Social Safety numbers and different delicate data had been susceptible on the DESE web site, nor was it identified if anybody had exploited the flaw.
However in a press convention Thursday morning, Gov. Parson mentioned he would search to prosecute and examine the reporter and the area’s largest newspaper for “unlawfully” accessing instructor information.
“This administration is standing up in opposition to any and all perpetrators who try and steal private data and hurt Missourians,” Parson mentioned. “It’s illegal to entry encoded information and techniques with a purpose to study different peoples’ private data. We’re coordinating state sources to reply and make the most of all authorized strategies obtainable. My administration has notified the Cole County prosecutor of this matter, the Missouri State Freeway Patrol’s Digital Forensics Unit can even be conducting an investigation of all of these concerned. This incident alone might price Missouri taxpayers as a lot as $50 million.”
Whereas threatening to prosecute the reporters to the fullest extent of the regulation, Parson sought to downplay the severity of the safety weak point, saying the reporter solely unmasked three Social Safety numbers, and that “there was no choice to decode Social Safety numbers for all educators within the system abruptly.”
“The state is dedicated to bringing to justice anybody who hacked our techniques or anybody who aided them to take action,” Parson continued. “A hacker is somebody who positive factors unauthorized entry to data or content material. This particular person didn’t have permission to do what they did. They’d no authorization to transform or decode, so this was clearly a hack.”
Parson mentioned the one that reported the weak point was “appearing in opposition to a state company to compromise lecturers’ private data in an try and embarrass the state and promote headlines for his or her information outlet.”
“We won’t let this crime in opposition to Missouri lecturers go unpunished, and refuse to allow them to be a pawn within the information outlet’s political vendetta,” Parson mentioned. “Not solely are we going to carry this particular person accountable, however we can even be holding accountable all those that aided this particular person and the media company that employs them.”
In a press release shared with KrebsOnSecurity, an lawyer for the St. Louis Publish-Dispatch mentioned the reporter did the accountable factor by reporting his findings to the DESE in order that the state may act to forestall disclosure and misuse.
“A hacker is somebody who subverts pc safety with malicious or prison intent,” the lawyer Joe Martineau mentioned. “Right here, there was no breach of any firewall or safety and positively no malicious intent. For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Fortunately, these failures had been found.”
Aaron Mackey is a senior workers lawyer on the Digital Frontier Basis (EFF), a non-profit digital rights group based mostly in San Francisco. Mackey referred to as the governor’s response “vindictive, retaliatory, and extremely short-sighted.”
Mackey famous that Publish-Dispatch did the whole lot proper, even holding its story till the state had mounted the vulnerability. He mentioned the governor additionally is attacking the media — which serves an important function in serving to give voice (and infrequently anonymity) to safety researchers who would possibly in any other case stay silent underneath the specter of potential prison prosecution for reporting their findings on to the susceptible group.
“It’s harmful and flawed to go after somebody who behaved ethically and responsibly within the disclosure sense, but in addition within the journalistic sense,” he mentioned. “The general public had a proper to find out about their authorities’s personal negligence in constructing safe techniques and addressing well-known vulnerabilities.”
Mackey mentioned Gov. Parson’s response to this incident is also unlucky as a result of it should nearly definitely give pause to anybody who would possibly in any other case discover and report safety vulnerabilities in state web sites that unnecessarily expose delicate data or entry. Which additionally means such weaknesses usually tend to be ultimately discovered and exploited by precise criminals.
“To characterize this as a hack is simply flawed on the technical facet, when it was the state company’s personal system pulling that SSN information and making it publicly obtainable on their website,” Mackey mentioned. “After which to react on this method the place you don’t say ‘thanks’ however truly activate the reporter and researchers and go after them…it’s simply bizarre.”