On Wednesday, the St. Louis Put up-Dispatch ran a narrative about how its employees found and reported a safety vulnerability in a Missouri state training web site that uncovered the Social Safety numbers of 100,000 elementary and secondary lecturers. In a press convention this morning, Missouri Gov. Mike Parson (R) mentioned fixing the flaw may value the state $50 million, and vowed his administration would search to prosecute and examine the “hackers” and anybody who aided the publication in its “try to embarrass the state and promote headlines for his or her information outlet.”
The Put up-Dispatch says it found the vulnerability in an internet software that allowed the general public to go looking instructor certifications and credentials, and that greater than 100,000 SSNs had been accessible. The Missouri state Division of Elementary and Secondary Training (DESE) reportedly eliminated the affected pages from its web site Tuesday after being notified of the issue by the publication (earlier than the story on the flaw was revealed).
The newspaper mentioned it discovered that lecturers’ Social Safety numbers had been contained within the HTML supply code of the pages concerned. In different phrases, the knowledge was accessible to anybody with an internet browser who occurred to additionally look at the positioning’s public code utilizing Developer Instruments or just right-clicking on the web page and viewing the supply code.
The Put up-Dispatch reported that it wasn’t instantly clear how lengthy the Social Safety numbers and different delicate data had been susceptible on the DESE web site, nor was it recognized if anybody had exploited the flaw.
However in a press convention Thursday morning, Gov. Parson mentioned he would search to prosecute and examine the reporter and the area’s largest newspaper for “unlawfully” accessing instructor knowledge.
“This administration is standing up in opposition to any and all perpetrators who try to steal private data and hurt Missourians,” Parson mentioned. “It’s illegal to entry encoded knowledge and techniques with a view to look at different peoples’ private data. We’re coordinating state assets to reply and make the most of all authorized strategies accessible. My administration has notified the Cole County prosecutor of this matter, the Missouri State Freeway Patrol’s Digital Forensics Unit may also be conducting an investigation of all of these concerned. This incident alone could value Missouri taxpayers as a lot as $50 million.”
Whereas threatening to prosecute the reporters to the fullest extent of the legislation, Parson sought to downplay the severity of the safety weak spot, saying the reporter solely unmasked three Social Safety numbers, and that “there was no choice to decode Social Safety numbers for all educators within the system abruptly.”
“The state is dedicated to bringing to justice anybody who hacked our techniques or anybody who aided them to take action,” Parson continued. “A hacker is somebody who beneficial properties unauthorized entry to data or content material. This particular person didn’t have permission to do what they did. That they had no authorization to transform or decode, so this was clearly a hack.”
Parson mentioned the one that reported the weak spot was “performing in opposition to a state company to compromise lecturers’ private data in an try to embarrass the state and promote headlines for his or her information outlet.”
“We won’t let this crime in opposition to Missouri lecturers go unpunished, and refuse to allow them to be a pawn within the information outlet’s political vendetta,” Parson mentioned. “Not solely are we going to carry this particular person accountable, however we may also be holding accountable all those that aided this particular person and the media company that employs them.”
In an announcement shared with KrebsOnSecurity, an legal professional for the St. Louis Put up-Dispatch mentioned the reporter did the accountable factor by reporting his findings to the DESE in order that the state may act to forestall disclosure and misuse.
“A hacker is somebody who subverts laptop safety with malicious or legal intent,” the legal professional Joe Martineau mentioned. “Right here, there was no breach of any firewall or safety and positively no malicious intent. For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Fortunately, these failures had been found.”
Aaron Mackey is a senior employees legal professional on the Digital Frontier Basis (EFF), a non-profit digital rights group based mostly in San Francisco. Mackey known as the governor’s response “vindictive, retaliatory, and extremely short-sighted.”
Mackey famous that Put up-Dispatch did all the things proper, even holding its story till the state had mounted the vulnerability. He mentioned the governor additionally is attacking the media — which serves an important position in serving to give voice (and sometimes anonymity) to safety researchers who would possibly in any other case stay silent below the specter of potential legal prosecution for reporting their findings on to the susceptible group.
“It’s harmful and incorrect to go after somebody who behaved ethically and responsibly within the disclosure sense, but additionally within the journalistic sense,” he mentioned. “The general public had a proper to find out about their authorities’s personal negligence in constructing safe techniques and addressing well-known vulnerabilities.”
Mackey mentioned Gov. Parson’s response to this incident is also unlucky as a result of it is going to virtually actually give pause to anybody who would possibly in any other case discover and report safety vulnerabilities in state web sites that unnecessarily expose delicate data or entry. Which additionally means such weaknesses usually tend to be finally discovered and exploited by precise criminals.
“To characterize this as a hack is simply incorrect on the technical facet, when it was the state company’s personal system pulling that SSN knowledge and making it publicly accessible on their website,” Mackey mentioned. “After which to react on this means the place you don’t say ‘thanks’ however truly activate the reporter and researchers and go after them…it’s simply bizarre.”