The Missouri Department of Elementary and Secondary Education (DESE) has labeled a journalist a “hacker” with Gov. Mike Parson (R) threatening legal action after the journalist warned the department there were security flaws on its website.
A journalist from the St. Louis Post-Dispatch alerted the education department to a security flaw on its website that showed more than 100,000 teachers’ Social Security numbers.
The outlet delayed publishing the story to give the department time to fix the problem, with the department, at first, working with the outlet on the issue and saying it would give updates to the Post-Dispatch.
“We have worked with our data team and the Office of Administration Information Technology Services Division to get that search tool pulled down immediately, so we can dig in to the situation and learn more about what has happened,” department spokeswoman Mallory McGowin told the outlet Tuesday with plans to give more information on Wednesday.
However, the department backed out of the Wednesday plan and instead released a statement saying the flaw was found by a hacker.
The DESE said a “hacker” stole “the records of at least three educators” who would be contacted shortly, according to the Post-Dispatch. The statement was not immediately available as the department’s website is down.
The governor repeated that version of the story in a press conference Thursday where he threatened legal action against the journalist.
“We will not let this crime against Missouri teachers go unpunished. And we refuse to let them be a pawn in the news outlet’s political vendetta. Not only are we going to hold this individual accountable, but we will also be holding accountability all those who aided this individual and the media corporation that employs them,” Parson said.
The Post-Dispatch released a statement saying they stand by the work of their journalist.
“We stand by our reporting and our reporter who did everything right. It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to DESE’s attention,” Post-Dispatch Publisher Ian Caso said.
Despite the wave of condemnation at the governor’s comments, Parson doubled down in a tweet later Thursday.
“We want to be clear, this DESE hack was more than a simple ‘right click,’” Parson tweeted. “This data was not freely available, and by the actors own admission, the data had to be taken through eight separate steps in order to generate a SSN.”
This data was not freely available, and by the actors own admission, the data had to be taken through eight separate steps in order to generate a SSN. (2/3)
— Governor Mike Parson (@GovParsonMO) October 14, 2021
The outlet’s attorney said the journalist did not have to “breach of any firewall or security” in order to find the numbers and that “for DESE to deflect its failures by referring to this as ‘hacking’ is unfounded.”
Parson has received swift backlash from other politicians, Democrats and Republicans, for his threats against the journalist.
“Journalism isn’t a crime. Cybersecurity research isn’t either. Real leaders don’t unleash their attack dogs on the press when they expose government failures, they roll up their sleeves and fix the problem,” Oregon Sen. Ron WydenRonald (Ron) Lee WydenCongress needs to step up on crypto, or Biden might crush it Democrats face growing storm over IRS reporting provision Best shot at narrowing racial homeownership gap at risk, progressives say MORE (D), chairman of the Senate Finance committee, said.
Journalism isn’t a crime. Cybersecurity research isn’t either. Real leaders don’t unleash their attack dogs on the press when they expose government failures, they roll up their sleeves and fix the problem. https://t.co/i0yuNka8C2
— Ron Wyden (@RonWyden) October 14, 2021
State Rep. Tony Lovasco (R) said the governor doesn’t understand the situation.
“It’s clear the Governor’s office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities,” he tweeted. “Journalists responsibly sounding an alarm on data privacy is not criminal hacking.”
It’s clear the Governor’s office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities.
— Rep. Tony Lovasco (MO-64) (@tonylovasco) October 14, 2021
Updated at 5:46 p.m.