Missouri Gov. Mike Parson on Thursday called for a criminal investigation into a journalist who discovered a vulnerability on a state website that left the Social Security numbers of thousands of public school teachers exposed.
The journalist, Josh Renaud of The St. Louis Post-Dispatch, published an article Wednesday about a vulnerability in the website of the state’s Department of Elementary and Secondary Education. Viewing the HTML source code on the site revealed teachers’ names and their Social Security numbers, Renaud wrote, and he contacted three teachers to verify that the numbers were authentic.
Renaud also delayed publication of his findings until after website administrators were able to ensure the numbers were no longer publicly visible, regarded as standard good practice in cybersecurity reporting.
But Parson said Renaud's research and reporting constitutes criminal hacking, prompting a state law enforcement investigation.
The announcement has worried cybersecurity law experts who say that accusing the journalist of a crime could have a chilling effect on researchers and others who discover such vulnerabilities.
“It’s incredibly wrong to characterize what occurred here as anything less than fully responsible and ethical,” said Aaron Mackey, an attorney at the Electronic Frontier Foundation, a nonprofit that advocates for digital rights.
“It’s news. It’s important that the public and the folks who live in Missouri know that the state was failing to secure hundreds of thousands of people’s personal information and leaving them vulnerable,” he said.
The internet is rife with vulnerabilities that expose personal information to potential hackers, and vulnerabilities like the one Renaud discovered are frequently covered by news outlets. But in a speech on Thursday, Parson accused Renaud of criminal hacking and said he had referred the incident to the Cole County prosecutor’s office and the state’s highway patrol.
“This individual is not a victim,” Parson said. “They were acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet. We will not let this crime against Missouri teachers go unpunished, and we refuse to let them be a pawn in the news outlet’s political vendetta.”
A spokesperson for the Missouri State Highway Patrol confirmed in an email that it was investigating “the potential unauthorized access to Department of Elementary and Secondary Education data.” The Cole County prosecuting attorney, Locke Thompson, said in an email that he would wait until that investigation was complete before deciding whether to file charges.
An attorney for The St. Louis Post-Dispatch, Joe Martineau, said in an emailed statement that Renaud “did the responsible thing” by disclosing his findings to the state.
“Here, there was no breach of any firewall or security and certainly no malicious intent,” Martineau said. “Thankfully, these failures were discovered.”
Marcia Hoffman, an attorney who specializes in digital rights, said that the state of Missouri should thank Renaud, not charge him.
“Missouri shouldn’t prosecute anyone here,” Hoffman said in a text message. “Instead, the governor should commend the Post-Dispatch and its journalists for discovering a dire privacy problem and letting the responsible agency know so the vulnerability could be fixed.”
“Perhaps this situation is a little embarrassing for the state, but here’s the important thing: The website is no longer creating a needless risk for 100,000 educators,” she said.