Missouri Governor's Hack Accusation Loses SteamFBI Says No Intrusion; State Agency Wanted to Thank Reporter
In mid-October, Missouri's governor accused a reporter of malicious hacking after he alerted the state to exposed Social Security numbers within the HTML source code of a state education website.
Now, emails obtained by the St. Louis Post-Dispatch and described in a story on Friday, reveal that the state had planned on thanking the reporter before it chose instead to pursue prosecution. Also, the local FBI dismissed the incident, saying there was no intrusion.
The situation raised concerns that Missouri was intentionally failing to recognize responsible security disclosure and twisting the situation for political benefit (see: Missouri Refers Coordinated Bug Disclosure to Prosecutors).
Caught in the middle is Josh Renaud, a St. Louis Post-Dispatch developer and reporter, who filed a story on Oct. 14 describing the exposure of more than 100,000 Social Security numbers.
Renaud found that the numbers were presented in the HTML source code of the Department of Elementary and Secondary Education's website, or DESE. Source code for any website can be viewed using a tool present in web browsers.
The Social Security numbers weren't visible on the regular web pages. The exposure was related to a web application that allows people to verify a teacher's certifications and credentials.
Prior to publishing a story, the newspaper informed DESE of the exposure, which then was fixed. Fury ensued after the story ran. In a news conference on Oct. 14, Missouri Gov. Michael L. Parson accused the reporter of malicious hacking and referred the case to the Missouri State Highway Patrol, where it remains under investigation, according to the Post-Dispatch.
Parson said the reporter took the personal information of three educators and "decoded the HTML source code, and viewed the Social Security numbers of those specific educators."
Contacted on Sunday, a St. Louis Post-Dispatch spokeswoman didn't answer a question about whether Renaud had been charged. But in a statement, the newspaper's president and publisher, Ian Caso, said the emails "show there was no network intrusion."
“As DESE initially acknowledged, the reporter should have been thanked for the responsible way he handled the matter and not chastised or investigated as a hacker," Caso said.
FBI: No Intrusion Here
The Post-Dispatch's latest story is based on emails obtained through the state's Sunshine Law, which allows open access to government information.
DESE planned to thank the newspaper for finding the data exposure. DESE's spokeswoman sent an email on Oct. 12 to the governor's office with proposed copy for a press release. One of the sentences read: "We are grateful to the member of the media who brought this to the state's attention."
But in a press statement released the next day, Missouri's Office of Administration - which programmed and maintains the web application that leaked the data - characterized Renaud as "a hacker."
Also, a state cybersecurity specialist for the state, Angie Robinson, had forwarded emails from Renaud about the situation to FBI Special Agent Kyle Storm in the agency's St. Louis bureau.
The paper reports that Storm responded that the incident is not an actual network intrusion and that the state's database was misconfigured, which allowed open-source tools to be used to query data that should have not been public. But Storm responded that the FBI would contact the assistant U.S. attorney's office to see if the incident merited prosecution.
There appeared to be more grievances in play. During the news conference, Parson took the situation much further, accusing the St. Louis Post-Dispatch of intentionally trying to embarrass the state and saying that the data leak was part of a "political agenda."
Parson also accused the newspaper of using the incident for profit: "They were acting against the state agency to compromise teachers' personal information in an attempt to embarrass the state and sell headlines for the news outlet."