Missouri Governor Wants to Prosecute Journalist Who Found School Employee Database Vulnerability

Cybersecurity legal experts say the potential prosecution is misguided and could have a chilling effect on others who discover cyber vulnerabilities.

Missouri Governor Wants to Prosecute Journalist Who Found School Employee Database Vulnerability

Photo via Adobe, by MarekPhotoDesign.com.

A St. Louis Post-Dispatch journalist who uncovered, helped fix and reported a vulnerability in a Missouri government website that exposed more than 100,000 Social Security numbers of public school teachers  and other staff members is now under criminal investigation by the Missouri State Highway Patrol for alleged unauthorized access to the site.

The move was prompted by a call for the investigation by Missouri Gov. Mike Parson, reports WTVA and WLOV. Cybersecurity legal experts, however, say the prosecution is misguided and could have a chilling effect on others who discover cyber vulnerabilities, reports NBC News.

The journalist who wrote about the vulnerabilities of the state’s Department of Elementary and Secondary Education’s (DESE) website is Josh Renaud of the St. Louis Post-Dispatch. In an article he published Wednesday, he reported that viewing the Web site’s HTML source code revealed the names and Social Security numbers of public school teachers, administrators and counselors in the state. He was then able to verify the vulnerability by contacting three of the individuals in the exposed database.

Before the article was published, however, the Post-Dispatch said it delayed publishing the report so DESE could “take steps to protect teachers’ private information and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities.” The article was published one day after the problematic pages were removed from the website.

Despite this, Parsons described Renaud as s “perpetrator” who “took the records of at least three educators, decoded the HTML source code, and viewed the Social Security number of those specific educators,” reports Ars Technica.

“Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them,” Parson added.

The Post-Dispatch responded that the “Social Security numbers were present in the publicly visible HTML source code of the pages involved.”  It should also be noted that most web browsers have the option to “view source” or “view page source” that allows anyone to look at a website’s HTML.

In a statement to CNN, Ian Caso, president and publisher of the Post-Dispatch, said the publication stands by its journalist, “who did everything right. It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to the Department of Elementary and Secondary Education’s attention.”

An attorney for the newspaper claimed that when the journalist was conducting research for the article, “there was no breach of any firewall or security and certainly no malicious intent” reports WTVA and WLOV.

“It’s incredibly wrong to characterize what occurred here as anything less than fully responsible and ethical,” Aaron Mackey, an attorney at the Electronic Frontier Foundation, a nonprofit that advocates for digital rights told NBC News.

Currently, no charges have been filed against Renaud or the Post-Dispatch.

About the Author

Robin Hattersley Gray
Contact:

Robin has been covering the security and campus law enforcement industries since 1998 and is a specialist in school, university and hospital security, public safety and emergency management, as well as emerging technologies and systems integration. She joined CS in 2005 and has authored award-winning editorial on campus law enforcement and security funding, officer recruitment and retention, access control, IP video, network integration, event management, crime trends, the Clery Act, Title IX compliance, sexual assault, dating abuse, emergency communications, incident management software and more. Robin has been featured on national and local media outlets and was formerly associate editor for the trade publication Security Sales & Integration. She obtained her undergraduate degree in history from California State University, Long Beach.

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety Online Summit Promo Campus Safety HQ