dese – Techdirt (original) (raw)

Turns Out It Was Actually The Missouri Governor's Office Who Was Responsible For The Security Vulnerability Exposing Teacher Data

from the will-you-look-at-that dept

The story of Missouri’s Department of Elementary and Secondary Education (DESE) leaking the Social Security Numbers of hundreds of thousands of current and former teachers and administrators could have been a relatively small story of yet another botched government technology implementation — there are plenty of those every year. But then Missouri Governor Mike Parson insisted that the reporter who reported on the flaw was a hacker and demanded he be prosecuted. After a months’ long investigation, prosecutors declined to press charges, but Parson doubled down and insisted that he would “protect state data and prevent unauthorized hacks.”

You had to figure another shoe was going to drop and here it is. As Brian Krebs notes, it has now come out that it was actually the Governor’s own IT team that was in charge of the website that leaked the data. That is, even though it was the DESE website, that was controlled by the Governor’s own IT team. This is from the now released Missouri Highway Patrol investigation document. As Krebs summarizes:

The Missouri Highway Patrol report includes an interview with Mallory McGowin, the chief communications officer for the state?s Department of Elementary and Secondary Education (DESE). McGowin told police the website weakness actually exposed 576,000 teacher Social Security numbers, and the data would have been publicly exposed for a decade.

McGowin also said the DESE?s website was developed and maintained by the Office of Administration?s Information Technology Services Division (ITSD) ? which the governor?s office controls directly.

?I asked Mrs. McGowin if I was correct in saying the website was for DESE but it was maintained by ITSD, and she indicated that was correct,? the Highway Patrol investigator wrote. ?I asked her if the ITSD was within the Office of Administration, or if DESE had their on-information technology section, and she indicated it was within the Office of Administration. She stated in 2009, policy was changed to move all information technology services to the Office of Administration.?

Now, it’s important to note that the massive, mind-bogglingly bad, security flaw that exposed all those SSNs in the source code of publicly available websites was coded long before Parson was the governor, but it’s still his IT team that was who was on the hook here. And perhaps that explains his nonsensical reaction to all of this?

For what it’s worth, the report also goes into greater detail about just how dumb this vulnerability was:

Ms. Keep and Mr. Durnow told me once on the screen with this specific data about any teacher listed in the DESE system, if a user of the webpage selected to view the Hyper Text Markup Language (HTML) source code, they were allowed to see additional data available to the webpage, but not necessarily displayed to the typical end-user. This HTML source code included data about the selected teacher which was Base64 encoded. There was information about other teachers, who were within the same district as the selected teacher, on this same page; however, the data about these other teachers was encrypted.

Ms. Keep said the data which was encoded should have been encrypted. Ms. Keep told me Mr. Durnow was reworking the web application to encrypt the data prior to putting the web application back online for the public. Ms. Keep told me the DESE application was about 10 years old, and the fact the data was only encoded and not encrypted had never been noticed before.

This explains why Parson kept insisting that it wasn’t simply “view source” that was the issue here, and that it was hacking because it was “decoded.” But Base64 decoding isn’t hacking. If it was, anyone figuring out what this says would be a “hacker.”

TWlrZSBQYXJzb24gaXMgYSB2ZXJ5IGJhZCBnb3Zlcm5vciB3aG8gYmVpZXZlcyB0aGF0IGhpcyBvd24gSVQgdGVhbSdzIHZlcnkgYmFkIGNvZGluZyBwcmFjdGljZXMgc2hvdWxkIG5vdCBiZSBibGFtZWQsIGFuZCBpbnN0ZWFkIHRoYXQgaGUgY2FuIGF0dGFjayBqb3VybmFsaXN0cyB3aG8gZXRoaWNhbGx5IGRpc2Nsb3NlZCB0aGUgdnVsbmVyYWJpbGl0eSBhcyAiaGFja2VycyIgcmF0aGVyIHRoYW4gdGFrZSBldmVuIHRoZSBzbGlnaHRlc3QgYml0IG9mIHJlc3BvbnNpYmlsaXR5Lg==

That’s not hacking. That’s just looking at what’s there and knowing how to read it. Not understanding the difference between encoding and encrypting is the kind of thing that is maybe forgivable for a non-techie in a confused moment, but Parson has people around him who could surely explain it — the same people who clearly explained it to the Highway Patrol investigating. But instead, he still insists it was hacking and is still making journalist Jon Renaud’s life a living hell from all this nonsense.

The investigation also confirms exactly as we had been saying all along that Renaud and the St. Louis Post-Dispatch did everything in the most ethical way possible. It found the vulnerability, checked to make sure it was real, confirmed it with an expert, then notified DESE about it, including the details of the vulnerability, and while Renaud noted that the newspaper was going to run a story about it, made it clear that it wanted to make sure the vulnerability was locked down before the story would run.

So, once again, Mike Parson looks incredibly ignorant, and completely unwilling to take responsibility. And the more he does so, the more this story continues to receive attention.

Filed Under: dese, hacking, jon renaud, mike parson, missouri, vulnerability
Companies: st. louis post dispatch

Missouri's Governor Still Insists Reporter Is A Hacker, Even As Prosecutors Decline To Press Charges

from the disgusting dept

Last autumn, you may recall, the St. Louis Post-Dispatch published an article revealing that the Missouri Department of Elementary and Secondary Education (DESE) was leaking the Social Security numbers of teachers and administrators, past and present, by putting that information directly in the HTML. The reporters at the paper ethically disclosed this to the state, and waited until this very, very bad security mistake had been patched before publishing the story. In response, rather than admitting that an agency under his watch had messed up, Missouri Governor Mike Parson made himself into a complete laughingstock, by insisting that the act of viewing the source code on the web page was nefarious hacking. Every chance he had to admit he fucked up, he doubled down instead.

The following month, the agency, DESE, flat out admitted it screwed up and apologized to teachers and administrators, and offered them credit monitoring… but still did not apologize to the journalists. FOIA requests eventually revealed that before Governor Parson had called the reporters hackers, the FBI had already told the state that no network intrusion had taken place and it was also revealed that the state had initially planned to thank the journalists. Instead, Parson blundered in and insisted that it was hacking and that people should be prosecuted.

Hell, three weeks after it was revealed that the FBI had told the state that no hacking had happened, Parson was still saying that he expected the journalists to be prosecuted.

Finally, late on Friday, the prosecutors said that they were not pressing charges and considered the matter closed. The main journalist at the center of this, Jon Renaud, broke his silence with a lengthy statement that is worth reading. Here’s a snippet:

This decision is a relief. But it does not repair the harm done to me and my family.

My actions were entirely legal and consistent with established journalistic principles.

Yet Gov. Mike Parson falsely accused me of being a ?hacker? in a televised press conference, in press releases sent to every teacher across the state, and in attack ads aired by his political action committee. He ordered the Highway Patrol to begin a criminal investigation, forcing me to keep silent for four anxious months.

This was a political persecution of a journalist, plain and simple.

Despite this, I am proud that my reporting exposed a critical issue, and that it caused the state to take steps to better safeguard teachers? private data.

At the same time, I am concerned that the governor?s actions have left the state more vulnerable to future bad actors. His high-profile threats of legal retribution against me and the Post-Dispatch likely will have a chilling effect, deterring people from reporting security or privacy flaws in Missouri, and decreasing the chance those flaws get fixed.

This has been one of the most difficult seasons of my nearly 20-year career in journalism

Later in the letter, he notes that a week earlier, Parson himself had decried the treatment of his rejected nominee to lead the state’s Department of Health and Senior Services, noting that Parson complained that “more care was given to political gain than the harm caused to a man and his family.” Renaud noted that the same could be said of Parson’s treatment of himself:

Every word Gov. Parson wrote applies equally to the way he treated me.

He concludes by hoping that “Parson’s eyes will be opened, that he will see the harm he did to me and my family, that he will apologize, and that he will show Missourians a better way.”

And Parson showed himself to be a bigger man and did exactly that… ha ha, just kidding. Parson just kept digging, and put out a truly obnoxious statement, with no apology and continuing to insist that Renaud hacked the government’s computers even though — again, this is important, lest you just think the governor is simply technically ignorant — the FBI has already told him that there was no hacking:

“The hacking of Missouri teachers’ personally identifiable information is a clear violation of Section 56.095, RSMo, which the state takes seriously. The state did its part by investigating and presenting its findings to the Cole County Prosecutor, who has elected not to press charges, as is his prerogative.

The Prosecutor believes the matter has been properly address and resolved through non-legal means.

The state will continue to work to ensure safeguards are in place to protect state data and prevent unauthorized hacks.

This whole statement is utter hogwash and embarrassing nonsense. Again, there was no hacking whatsoever. The state messed up by putting information that should never, ever be in HTML code into HTML code, making it accessible for anyone who viewed the source on their own computer. The state messed up. The state failed to secure the data. The state sent that data to the browsers of everyone who visited certain pages on their public websites. Renaud did exactly the right thing. He discovered this terrible security flaw that the state put on the database, ethically reported it, waited until the state fixed its own error, and then reported on it.

Parson knew from the beginning that no hacking occurred. The FBI told the state that no hacking occurred. The state had prepared to thank Renaud and his colleagues at the St. Louis Post-Dispatch. It was only after Parson decided to deny, deny, deny and blame, blame, blame reporters for pointing out Parson’s own government’s failings, that this whole thing got out of hand.

The prosecutors have their own reasons for declining to prosecute, but the most likely reason is they knew they’d get laughed out of court and it would make them and Parson look even more ridiculous. Renaud chose give a heartfelt write up of what Parson’s nonsense put him through, and asked in the politest way possible for Parson to look deep inside at the harm he had caused and to apologize. Instead, Parson quadrupled down, continued to insist that his own government’s failings could be blamed on a “hack,” and insisting that he’s trying to “protect” the state when all he’s done is show why no serious tech company should do business in such a state.

Missouri: elect better politicians. Parson is an embarrassment.

Filed Under: dese, ethical disclosure, hacking, jon renaud, journalism, mike parson, missouri, security flaw, view source
Companies: st. louis post dispatch

Missouri Governor Still Lying About Reporters Who Uncovered Ridiculous Bad State Computer Security; Still Insists They Were Hackers

from the lie-through-it,-mike dept

Missouri Governor Mike Parson is nothing if not committed to shamelessly lying. As you’ll recall, after journalists from the St. Louis Post-Dispatch ethically informed the state that the Department of Elementary and Secondary Education (DESE) website included a flaw that revealed the social security numbers of over 600,000 state teachers and school administrators, Parson responded by calling the reporters hackers and vowing to prosecute them. Again, the DESE system displayed this information directly in the HTML, available for anyone to see if they knew where to look. That’s not hacking. That’s incompetent computer security.

So far, this has mostly played out as expected. A month after the revelations, DESE finally admitted it fucked up and apologized to the teachers and administrators and offered them identity fraud protection services. Then, last week, a public record request revealed something incredible, though perhaps not surprising: the FBI had already told Missouri officials that no hacking took place and DESE had prepared a statement (correctly) thanking the journalists for alerting them to their own fuck up… but that statement was ditched in favor of the nonsense one claiming that the journalists “hacked” the system. As we said in that last story, right at the end it notes that the Highway Patrol investigation, instigated by Parson, was “still active.”

And now Parson is still standing by the ridiculous claim that the reporters are hackers. As for how he could possibly claim that after the revelation of internal documents on the situation? Well, Parson is trotting out the old “fake news” bullshit:

Asked at a ribbon-cutting ceremony Tuesday whether, in light of the records provided by the state, he still believed the newspaper committed a crime, Parson said, ?Most certainly I believe that. And most certainly I don?t know where that information?s coming from that you guys printed on that, whether it?s very accurate or not either. It has a tendency not to be very accurate a lot of times.?

Dude. What? Do newspapers make errors sometimes? Sure. But (1) from the very beginning it was abundantly clear that the problem here was with the state, not with the reporters, because under no circumstances should people be able to see the Social Security Numbers of other people in HTML and (2) if you’re crying “fake news” about documents revealed under a public records law then you have to actually say what’s fake. Is Parson claiming that his own government supplied fake information in response to a public records request? Because that would be fucked up. No, the truth is that Parson can’t handle the fact that everyone knows he’s just wrong, so he’s going to lie right through it.

Missourians, you deserve better than a governor who will actively lie to you and put state employees at risk. Elect someone who is not a liar.

Filed Under: dese, ethical disclosure, hackers, html, journalism, mike parson, missouri, security research
Companies: st. louis post dispatch

Newly Revealed Details Show That Missouri Government Totally Knew That Journalists Were Not At Fault For Teacher Data Vulnerability

from the of-course-they-knew dept

Kudos for open records laws proving to us that not only is Missouri Governor Mike Parson a technologically illiterate hack, but he’s a lying one as well. You’ll recall, of course, that in October, the St. Louis Post-Dispatch reported on how the state’s Department of Elementary and Secondary Education (DESE) website was designed in such a dangerous way that it was exposing the social security numbers of state teachers and administrators, and rather than thanking the journalists for their ethical disclosure of this total security fail by the state, DESE and Governor Parson called them hackers and asked law enforcement to prosecute them. Governor Parson continued to double down for weeks, insisting that reporting this vulnerability (and failed security by the government he runs) was malicious hacking until DESE finally admitted it fucked up and apologized to the over 600,000 teachers and administrators whose data was vulnerable — but never apologizing to the journalists.

The Post-Dispatch, whose reporters potentially still face charges, put out an open records request to find out more about what the government was saying and discovered, somewhat incredibly, that before DESE referred to them as hackers, it already knew that it was at fault here and even initially planned to thank the journalists. As the documents reveal, the FBI flat out told DESE that this was a DESE fuckup and DESE had sent Gov. Parson a planned statement that thanked the journalists:

In an Oct. 12 email to officials in Gov. Mike Parson?s office, Mallory McGowin, spokeswoman for DESE, sent proposed statements for a press release announcing the data vulnerability the newspaper uncovered.

?We are grateful to the member of the media who brought this to the state?s attention,? said a proposed quote from Education Commissioner Margie Vandeven.

The Parson administration and DESE did not end up using that quote.

The next day, on Oct. 13, the Office of Administration issued a news release calling the Post-Dispatch journalist a ?hacker.?

This is truly incredible. As are the details of the conversation between a Missouri employee and a local FBI agent.

Meanwhile, at 3:24 p.m. on Oct. 13, Angie Robinson, cybersecurity specialist for the state, emailed Department of Public Safety Director Sandra Karsten to inform her that she had forwarded emails from the Post-Dispatch to Kyle Storm with the FBI in St. Louis.

?Kyle informed me that after reading the emails from the reporter that this incident is not an actual network intrusion,? she said.

Instead, she wrote, the FBI agent said the state?s database was ?misconfigured.?

?This misconfiguration allowed open source tools to be used to query data that should not be public,? she wrote.

So, by the time of the “hacker” statement by DESE, it was already pretty clear to people within DESE that it was DESE at fault and not journalists ethically disclosing DESE’s terribly bad security practices. However, the report also notes that the FBI and the local Assistant US Attorney were still investigating whether or not they could bring criminal charges against the journalists:

?Kyle said the FBI would speak to Gwen Carroll, the AUSA (Assistant U.S. Attorney), with the updated information from the emails to see if this still fit the crime and if she was interested in prosecuting,? Robinson said.

Oh, and even worse: technically the criminal investigation is still ongoing:

As of Tuesday, the Highway Patrol?s investigation was still active, Capt. John Hotz told the Post-Dispatch.

That investigation needs to be closed, and everyone involved from DESE to Governor Parson to the Highway Patrol owe the St. Louis Post-Dispatch, its reporters, and the citizens of Missouri a massive apology.

Filed Under: data breach, dese, ethical disclosure, mike parson, missouri, right click, view source, vulnerability
Companies: st. louis post dispatch

Missouri Admits It Fucked Up In Exposing Teacher Data, Offers Apology To Teachers — But Not To Journalists It Falsely Accused Of Hacking

from the be-better-missouri dept

As you’ll recall, last month, journalists for the St. Louis Post-Dispatch revealed that the state’s Department of Elementary and Secondary Education (DESE) website was exposing teacher and administrator social security numbers in the HTML source code. This came years after state auditors had highlighted that DESE was already collecting information it should not have been collecting. Bizarrely, DESE and Missouri governor Mike Parson, rather than thanking these journalists for helping to protect the teachers, accused them of being hackers and promising to prosecute them. After people mocked him, he doubled down on the claim and a PAC closely connected to Parson put out a bizarre add playing up the evil “hacking” by the “fake news” media, along with ridiculous talk about “decoding the HTML source code.”

Except that, now, DESE has (much more quietly, and with much less bombast) apologized for the data breach and offered credit and identity theft monitoring to teachers:

The Department of Elementary and Secondary Education (DESE), in conjunction with Missouri’s Office of Administration Information Technology Services Division (OA-ITSD), will begin to send letters in the coming days to certificated educators across the state whose personally identifiable information (PII) may have been compromised during a recent data vulnerability incident.

Note the changing description here. What they were previously calling a “hack” is now, more accurately, called a “data vulnerability incident.” Though, a more accurate description would be that DESE exposed private data of teachers and administrators. Taking responsibility for that would mean being a bit more upfront about that. DESE messed up. Own it.

The state is unaware of any misuse of individual information or if information was accessed inappropriately outside of an isolated incident. However, out of an abundance of caution and in the unlikely event that this information was inappropriately accessed outside this single incident, the State of Missouri is offering 12 months of credit and identity theft monitoring resources through IDX to the approximately 620,000 past and present certificated educators whose PII was contained in the DESE certification database.

So, what’s notable here is that with all the claims of “hacks” being thrown around, DESE and the Governor kept insisting that just 3 individuals, whose info the reporters checked on, were exposed, and refused to admit that it actually impacted a very large number of teachers and administrators. Now, buried in the middle of this notice, we find out that the records of 620,000 teachers and administrators were exposed, including past employees. Wow.

And, also, there’s at least some kind of apology, even if it’s a bit of a mealy-mouthed one:

?Educators have enough on their plates right now and I want to apologize to them for this incident and the additional inconvenience it may cause them,? said Commissioner of Education Margie Vandeven. ?It is unacceptable. The security of the data we collect is of the utmost importance to our agency. Rest assured that we are working closely with OA-ITSD to resolve this situation.?

Notice, however, that the apology is only to the teachers and administrators and not to the journalists DESE and the Governor falsely accused of hacking. Perhaps that’s because — as the Kansas City Star reports — the journalists are still being investigated for possible prosecution:

That investigation is still ongoing, according to patrol Capt. John Hotz. Those interviewed so far have included Shaji Khan, a University of Missouri – St. Louis cybersecurity expert whom the Post-Dispatch consulted to verify the data flaw. Cole County Prosecutor Locke Thompson will ultimately make a decision on whether to bring charges.

Hell, in the description of what happened, DESE ignores that it previously accused the reporters of hacking, refuses to even call them reporters (refering to them as “an individual”) and then still plays up that the data needed to be “decoded.”

As previously announced by OA, on October 12, 2021, DESE was made aware that the PII of at least three Missouri educators was potentially compromised. The information was located within the educator certification data available on DESE?s website. An individual told DESE that they, through a multi-step process, accessed the certification records of at least three educators, took the encoded source data from that webpage, decoded that data, and then viewed the social security number (SSN) of those specific educators. Educators? PII was only accessible on an individual basis within this search tool, and there was no option to decode SSNs for all educators in the system all at once.

Again, if you click on the “previously announced” link, it takes you right to the announcement that calls the reporter “a hacker” and accuses them of “taking records.”

Notably, Governor Mike Parson, who was so eager to call the journalists hackers and call for their prosecution has not (as of me writing this) said anything directly on Twitter about all this — other than a bizarre tweet this morning about how “great teachers are crucial to our workforce development goals.” Of course, one way to get great teachers is not to expose their data, and then try to cover it up or to blame the responsible and ethical disclosure practices of journalists who actually helped to protect those teachers.

Filed Under: credit monitoring, data breach, data vulnerability, dese, hacking, journalism, mike parson, missouri, st. louis, teachers

from the wtf-missouri? dept

Last Friday, Missouri’s Chief Information Security Officer Stephen Meyer stepped down after 21 years working for the state to go into the private sector. His timing is noteworthy because it seems like Missouri really could use someone in their government who understands basic cybersecurity right now.

We’ve seen plenty of stupid stories over the years about people who alert authorities to security vulnerabilities then being threatened for hacking, but this story may be the most ridiculous one we’ve seen. Journalists for the St. Louis Post-Dispatch discovered a pretty embarrassing leak of private information for teachers and school administrators. The state’s Department of Elementary and Secondary Education (DESE) website included a flaw that allowed the journalists to find social security numbers of the teachers and administrators:

Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers? Social Security numbers were contained in the HTML source code of the pages involved.

The newspaper asked Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis, to confirm the findings. He called the vulnerability ?a serious flaw.?

?We have known about this type of flaw for at least 10-12 years, if not more,? Khan wrote in an email. ?The fact that this type of vulnerability is still present in the DESE web application is mind boggling!?

In the HTML source code means that it sent that information to the computers/browsers of those who knew what pages to go to. It also appears that the journalists used proper disclosure procedures, alerting the state and waiting until it had been patched before publishing their article:

The Post-Dispatch discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials. The department removed the affected pages from its website Tuesday after being notified of the problem by the Post-Dispatch.

Based on state pay records and other data, more than 100,000 Social Security numbers were vulnerable.

The newspaper delayed publishing this report to give the department time to take steps to protect teachers? private information, and to allow the state to ensure no other agencies? web applications contained similar vulnerabilities.

Also, it appears that the problems here go back a long ways, and the state should have been well aware that this problem existed:

The state auditor?s office has previously sounded warning bells about education-related data collection practices, with audits of DESE in 2015 and of school districts in 2016.

The 2015 audit found that DESE was unnecessarily storing students? Social Security numbers and other personally identifiable information in its Missouri Student Information System. The audit urged the department to stop that practice and to create a comprehensive policy for responding to data breaches, among other recommendations. The department complied, but clearly at least one other system contained an undetected vulnerability.

This is where a competent and responsible government would thank the journalists for finding the vulnerability and disclosing it in an ethical manner designed to protect the info of the people the state failed to properly protect.

But that’s not what happened.

Instead, first the Education Commissioner tried to make viewing the HTML source code nefarious:

In the letter to teachers, Education Commissioner Margie Vandeven said ?an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.?

It was never “encrypted,” Commissioner, if the journalists could simply look at the source code and get the info.

Then DESE took it up a notch and referred to the journalists as “hackers.”

But in the press release, DESE called the person who discovered the vulnerability a ?hacker? and said that individual ?took the records of at least three educators? ? instead of acknowledging that more than 100,000 numbers had been at risk, and that they had been available to anyone through DESE?s own search engine.

And then, it got even worse. Missouri Governor Mike Parson called a press conference in which he again called the journalists hackers and said he had notified prosecutors and the Highway Patrol’s Digital Forensic Unit to investigate. Highway Patrol? He also claimed (again) that they had “decoded the HTML source code.” That’s… not difficult. It’s called “view source” and it’s built into every damn browser, Governor. It’s not hacking. It’s not unauthorized.

Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.

We notified the Cole County prosecutor and the Highway Patrol?s Digital Forensic Unit will investigate. pic.twitter.com/2hkZNI1wXE

— Governor Mike Parson (@GovParsonMO) October 14, 2021

It gets worse. Governor Parson claims that this “hack” could cost $50 million. I only wish I was joking.

This incident alone may cost Missouri taxpayers up to $50 million and divert workers and resources from other state agencies. This matter is serious.

The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them ? In accordance with what Missouri law allows AND requires.

A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code. This was clearly a hack.

We must address any wrongdoing committed by bad actors.

If it costs $50 million to properly secure the data on your website that previous audits had already alerted you as a problem, then that’s on the incompetent government who failed to properly secure the data in the first place. Not on journalists ethically alerting you to fix the vulnerability. And, there’s no “unauthorized access.” Your system put that info into people’s browsers. There’s no “decoding” to view the source. That’s not how any of this works.

As people started loudly mocking Governor Parson, he decided to double down, insisting that it was more than a simple “right click” and repeating that journalists had to “convert and decode the data.”

We want to be clear, this DESE hack was more than a simple ?right click.?

THE FACTS: An individual accessed source code and then went a step further to convert and decode that data in order to obtain Missouri teachers? personal information. (1/3) pic.twitter.com/JKgtIpcibM

— Governor Mike Parson (@GovParsonMO) October 14, 2021

Again, even if it took a few steps, that’s still not hacking. It’s still a case where the state agency made that info available. That’s not on the journalists who responsibly disclosed it. It’s on the state for failing to protect the data properly (and for collecting and storing too much data in the first place).

Indeed, in doing this ridiculous show of calling them hackers and threatening prosecution, all the state of Missouri has done is make damn sure that the next responsible/ethical journalists and/or security researchers will not alert the state to their stupidly bad security. Why take the risk?

Filed Under: blame the messenger, dese, disclosure, ethical disclosure, hacking, mike parson, private information, schools, social security numbers, st. louis, teachers, vulnerabilities
Companies: st. louis post dispatch