Missouri governor calls for prosecution of reporter who reported website flaw

Missouri Governor Mike Parson on Thursday called for a criminal investigation into a reporter who uncovered a vulnerability on a state website that exposed the social security numbers of thousands of public school teachers.

Reporter, Josh Renaud of the St. Louis Post-Dispatch, published an article on Wednesday about a vulnerability in the website of the state department of primary and secondary education. Viewing the HTML source code on the site revealed the teachers’ names and their social security numbers, Renaud wrote, and he contacted three teachers to verify that the numbers were genuine.

Renaud also delayed publishing his findings until the website administrators could ensure the numbers were no longer publicly visible, which is considered standard good practice in cybersecurity reporting.

But Parson said Renaud’s research and reports constituted criminal hacking, prompting a law enforcement investigation.

The announcement has cybersecurity law experts who say charging the journalist with a crime could have a chilling effect on researchers and others who discover such vulnerabilities.

“It’s incredibly wrong to call what happened here less than fully responsible and ethical,” said Aaron Mackey, an attorney at the Electronic Frontier Foundation, a nonprofit that advocates for digital rights.

” It’s a short story. It is important for the public and the people of Missouri to know that the state was failing to secure the personal information of hundreds of thousands of people and leaving them vulnerable,” he said.

The internet is full of vulnerabilities that expose personal information to potential hackers, and vulnerabilities like the one discovered by Renaud are frequently covered in the media. But in a speech Thursday, Parson accused Renaud of criminal hacking and said he referred the incident to the Cole County District Attorney’s Office and the state Highway Patrol.

“This individual is not a victim,” Parson said. “They were acting against a state agency to compromise teachers’ personal information in an effort to embarrass the state and sell headlines for their media outlet. We will not let this crime against Missouri teachers go unpunished, and we refuse to let them be a pawn in the media’s political vendetta.

A spokesperson for the Missouri State Highway Patrol confirmed in an email that it was investigating “potential unauthorized access to Department of Elementary and Secondary Education data.” Cole County District Attorney Locke Thompson said in an email that he would wait for the investigation to be completed before deciding whether to press charges.

A St. Louis Post-Dispatch attorney, Joe Martineau, said in an emailed statement that Renaud “did the responsible thing” in disclosing his findings to the state.

“Here, there were no firewall or security breaches and certainly no malicious intent,” Martineau said. “Fortunately, these failures have been discovered.”

Marcia Hoffman, a digital rights attorney, said the state of Missouri should thank Renaud, not accuse him.

“Missouri shouldn’t be prosecuting anyone here,” Hoffman said in a text message. “Instead, the governor should commend the Post-Dispatch and its reporters for uncovering a serious privacy issue and notifying the responsible agency so that the vulnerability can be remedied.”

“Maybe this situation is a little embarrassing for the state, but here’s the thing: the website no longer creates unnecessary risk for 100,000 educators,” she said.