A story in the St. Louis Post-Dispatch has Gov. Mike Parson on the warpath. The article is about a vulnerability in data management at the Department of Elementary and Secondary Education (DESE). Specifically, how the newspaper got the information for that story.
The Post-Dispatch published a report on how a flaw in the education department's web application had left more than 100,000 teachers' social security numbers open to data mining.
Reporter Josh Renaud explained how someone could access the information through the HTML source code, which was accessible through a search of the public records on teacher certification and credentials.
The article explained that publication was delayed until after the newspaper had notified DESE of the problem and the agency had time to close the portal and protect the information.
The Post did not publish any of the personal information it might have gained access to. The governor does not see it as a case of the news media doing the government a favor. He calls it an illegal hack, one that was politically motivated. "They were acting against a state agency to compromise teachers' personal information in an attempt to embarrass the state and sell headlines for their news outlet," said Parson at Thursday's press conference.
The newspaper quoted a cybersecurity professor at the University of Missouri-St. Louis as saying the access exposed "a serious flaw," one known about for over a decade.
A statement from DESE said simply that the information technology people at the Office of Administration were on it, and changes had been made.
Parson took it personally. "What they did is beyond unethical," said Parson.
Joseph Martineau is an attorney for the Post Dispatch. “The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse,” said Martineau in a written statement. “A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent.
Parson did not answer questions after Thursday's press conference. One Post-Dispatch reporter asked if Parson should say "thank you" to the Post-Dispatch.