A St. Louis Post-Dispatch journalist who uncovered, helped fix and reported a vulnerability in a Missouri government website that exposed more than 100,000 Social Security numbers of public school teachers and other staff members is now under criminal investigation by the Missouri State Highway Patrol for alleged unauthorized access to the site.
The move was prompted by a call for the investigation by Missouri Gov. Mike Parson, reports WTVA and WLOV. Cybersecurity legal experts, however, say the prosecution is misguided and could have a chilling effect on others who discover cyber vulnerabilities, reports NBC News.
The journalist who wrote about the vulnerabilities of the state’s Department of Elementary and Secondary Education’s (DESE) website is Josh Renaud of the St. Louis Post-Dispatch. In an article he published Wednesday, he reported that viewing the Web site’s HTML source code revealed the names and Social Security numbers of public school teachers, administrators and counselors in the state. He was then able to verify the vulnerability by contacting three of the individuals in the exposed database.
Before the article was published, however, the Post-Dispatch said it delayed publishing the report so DESE could “take steps to protect teachers’ private information and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities.” The article was published one day after the problematic pages were removed from the website.
Despite this, Parsons described Renaud as s “perpetrator” who “took the records of at least three educators, decoded the HTML source code, and viewed the Social Security number of those specific educators,” reports Ars Technica.
“Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them,” Parson added.
The Post-Dispatch responded that the “Social Security numbers were present in the publicly visible HTML source code of the pages involved.” It should also be noted that most web browsers have the option to “view source” or “view page source” that allows anyone to look at a website’s HTML.
In a statement to CNN, Ian Caso, president and publisher of the Post-Dispatch, said the publication stands by its journalist, “who did everything right. It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to the Department of Elementary and Secondary Education’s attention.”
An attorney for the newspaper claimed that when the journalist was conducting research for the article, “there was no breach of any firewall or security and certainly no malicious intent” reports WTVA and WLOV.
“It’s incredibly wrong to characterize what occurred here as anything less than fully responsible and ethical,” Aaron Mackey, an attorney at the Electronic Frontier Foundation, a nonprofit that advocates for digital rights told NBC News.
Currently, no charges have been filed against Renaud or the Post-Dispatch.
