Missouri state government officials planned to publicly thank a reporter who uncovered a security breach until a dramatic change in strategy resulted in the governor calling the reporter a “hacker,” while threatening both legal action and prosecution.
As we wrote on October 14, St. Louis Post-Dispatch reporter Josh Renaud identified a security breach that exposed the social security numbers of teachers and other school employees in an unencrypted form. in the HTML source code of a publicly accessible website. Renaud and the Post-Dispatch handled the issue as responsible security researchers do, notifying the status of the security flaw and keeping it secret until it was fixed.
Despite this, Missouri Governor Mike Parson called Renaud a “hacker” and said the newspaper’s reporting was nothing more than a “political vendetta” and “an attempt to embarrass the state and to sell headlines for their media”. The Republican governor further said that his “administration has notified the Cole County District Attorney of this case,” that the Missouri State Highway Patrol’s Digital Forensics Unit would investigate “everyone involved,” and that the law of the state “allows us to bring a civil action”. to obtain damages against all involved.”
“We are grateful to the member of the media”
But just two days earlier, a government spokesperson was preparing a citation to publicly thank the reporter, as the Post-Dispatch reported today:
In an Oct. 12 email to officials in Governor Mike Parson’s office, DESE spokesperson Mallory McGowin [Department of Elementary and Secondary Education]sent proposed statements for a press release announcing the data vulnerability discovered by the newspaper.
“We are grateful to the member of the media who has brought this to the attention of the state,” said a proposed citation from Education Commissioner Margie Vandeven.
The Parson administration and DESE did not end up using this quote. The next day, October 13, the Office of Administration issued a press release calling the Post-Dispatch reporter a “hacker.” And on October 14, Parson held a press conference to protest the Post-Dispatch and announce a criminal investigation by the Missouri State Highway Patrol.
“We will not let this crime against Missouri teachers go unpunished,” Parson said at the press conference. “And we refuse to let them be a pawn in the media’s political vendetta. Not only are we going to hold this individual accountable, but we’re also going to hold accountable everyone who helped this individual and the media company that employs them.”
The Post-Dispatch obtained the Oct. 12 email in a public records request. The reporter’s thank-you plan was apparently scrapped at 1:18 p.m. on October 13, when “McGowin emailed Kelli Jones and Johnathan Shiflett, who both work in the governor’s office, to say that Vandeven wanted her meeting with officials from the governor’s office,” the Post-Dispatch wrote. A draft press release emailed by McGowin at 3:46 p.m., apparently after that meeting, called the reporter “peculiar.” Another review emailed by Shiflett at 4:20 p.m. called him a “hacker.”