Journalists In St. Louis Discover State Agency Is Revealing Teacher Social Security Numbers; Governors Vows To Prosecute Journalists As Hackers

from the wtf-missouri? dept

Last Friday, Missouri’s Chief Information Security Officer Stephen Meyer stepped down after 21 years working for the state to go into the private sector. His timing is noteworthy because it seems like Missouri really could use someone in their government who understands basic cybersecurity right now.

We’ve seen plenty of stupid stories over the years about people who alert authorities to security vulnerabilities then being threatened for hacking, but this story may be the most ridiculous one we’ve seen. Journalists for the St. Louis Post-Dispatch discovered a pretty embarrassing leak of private information for teachers and school administrators. The state’s Department of Elementary and Secondary Education (DESE) website included a flaw that allowed the journalists to find social security numbers of the teachers and administrators:

Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers? Social Security numbers were contained in the HTML source code of the pages involved.

The newspaper asked Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis, to confirm the findings. He called the vulnerability ?a serious flaw.?

?We have known about this type of flaw for at least 10-12 years, if not more,? Khan wrote in an email. ?The fact that this type of vulnerability is still present in the DESE web application is mind boggling!?

In the HTML source code means that it sent that information to the computers/browsers of those who knew what pages to go to. It also appears that the journalists used proper disclosure procedures, alerting the state and waiting until it had been patched before publishing their article:

The Post-Dispatch discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials. The department removed the affected pages from its website Tuesday after being notified of the problem by the Post-Dispatch.

Based on state pay records and other data, more than 100,000 Social Security numbers were vulnerable.

The newspaper delayed publishing this report to give the department time to take steps to protect teachers? private information, and to allow the state to ensure no other agencies? web applications contained similar vulnerabilities.

Also, it appears that the problems here go back a long ways, and the state should have been well aware that this problem existed:

The state auditor?s office has previously sounded warning bells about education-related data collection practices, with audits of DESE in 2015 and of school districts in 2016.

The 2015 audit found that DESE was unnecessarily storing students? Social Security numbers and other personally identifiable information in its Missouri Student Information System. The audit urged the department to stop that practice and to create a comprehensive policy for responding to data breaches, among other recommendations. The department complied, but clearly at least one other system contained an undetected vulnerability.

This is where a competent and responsible government would thank the journalists for finding the vulnerability and disclosing it in an ethical manner designed to protect the info of the people the state failed to properly protect.

But that’s not what happened.

Instead, first the Education Commissioner tried to make viewing the HTML source code nefarious:

In the letter to teachers, Education Commissioner Margie Vandeven said ?an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.?

It was never “encrypted,” Commissioner, if the journalists could simply look at the source code and get the info.

Then DESE took it up a notch and referred to the journalists as “hackers.”

But in the press release, DESE called the person who discovered the vulnerability a ?hacker? and said that individual ?took the records of at least three educators? ? instead of acknowledging that more than 100,000 numbers had been at risk, and that they had been available to anyone through DESE?s own search engine.

And then, it got even worse. Missouri Governor Mike Parson called a press conference in which he again called the journalists hackers and said he had notified prosecutors and the Highway Patrol’s Digital Forensic Unit to investigate. Highway Patrol? He also claimed (again) that they had “decoded the HTML source code.” That’s… not difficult. It’s called “view source” and it’s built into every damn browser, Governor. It’s not hacking. It’s not unauthorized.

It gets worse. Governor Parson claims that this “hack” could cost $50 million. I only wish I was joking.

This incident alone may cost Missouri taxpayers up to $50 million and divert workers and resources from other state agencies. This matter is serious.

The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them ? In accordance with what Missouri law allows AND requires.

A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code. This was clearly a hack.

We must address any wrongdoing committed by bad actors.

If it costs $50 million to properly secure the data on your website that previous audits had already alerted you as a problem, then that’s on the incompetent government who failed to properly secure the data in the first place. Not on journalists ethically alerting you to fix the vulnerability. And, there’s no “unauthorized access.” Your system put that info into people’s browsers. There’s no “decoding” to view the source. That’s not how any of this works.

As people started loudly mocking Governor Parson, he decided to double down, insisting that it was more than a simple “right click” and repeating that journalists had to “convert and decode the data.”

Again, even if it took a few steps, that’s still not hacking. It’s still a case where the state agency made that info available. That’s not on the journalists who responsibly disclosed it. It’s on the state for failing to protect the data properly (and for collecting and storing too much data in the first place).

Indeed, in doing this ridiculous show of calling them hackers and threatening prosecution, all the state of Missouri has done is make damn sure that the next responsible/ethical journalists and/or security researchers will not alert the state to their stupidly bad security. Why take the risk?

Filed Under: , , , , , , , , , , ,
Companies: st. louis post dispatch

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Journalists In St. Louis Discover State Agency Is Revealing Teacher Social Security Numbers; Governors Vows To Prosecute Journalists As Hackers”

Subscribe: RSS Leave a comment
64 Comments
This comment has been deemed insightful by the community.
That One Guy (profile) says:

'That took care of them, now why does my foot hurt so much?'

‘If you aren’t made aware of the problem it doesn’t exist’ seems to be the motto for far too many people in positions of authority, with the corollary of ‘If you shoot the current messenger giving you bad news that reduces the odds that another one will show up’.

The state was caught with it’s pants down and rather than admit they screwed up they decided on the absolute worst response, to punish the people who notified them of the problem and desperately try to shift the blame to them.

Not only is this stupid in the short term as it leaves the governor and state looking all sorts of boneheaded and pathetic but it just massively screwed them over long-term as no sane white-hat, security researcher or journalist is likely make use of the ‘official channels’ from this point on such that the first the Missouri government is likely to know about future hacks or security breaches/holes is after they’ve either been exploited or made public anonymously, leaving the affected agencies to do damage control after the fact.

Probably the only silver lining of this whole mess is the response to the governor’s statements as my oh my is that idiot getting roasted for his stupidity on twitter, with just so many people pointing out what an idiot he is and how the ‘we got hacked!’ claim is nothing more than CYOA garbage.

This comment has been flagged by the community. Click here to show it.

Chaim says:

Re: Re: 'That took care of them, now why does my foot hurt so mu

Seriously? You’re making this political? So you’re really willing to stand on the statement that “All non-Trump supporters understand the difference between a hacker and a responsible disclosure.” Because that house of cards would topple really fast.

Chaim says:

Re: Re: Re:2 'That took care of them, now why does my foot hu

That’s exactly what ‘Whoever’ said. "Unfortunately, the same people who voted for Trump will believe the governor" which insinuates that anyone who didn’t vote for Trump wouldn’t believe him and would understand the difference. It also insinuates that there are no (or at least few) people who voted for Trump and wouldn’t believe the governor. This has nothing to do with politics, and making it so is a dangerous way of thinking.

This comment has been deemed insightful by the community.
Scary Devil Monastery (profile) says:

Re: Re: Re:3 'That took care of them, now why does my foo

"It also insinuates that there are no (or at least few) people who voted for Trump and wouldn’t believe the governor. This has nothing to do with politics, and making it so is a dangerous way of thinking."

All evidence so far suggests trump supporters are willing to eat bigger whoppers than what the governor put out, without salt. I mean, the "stolen election" has far less credibility and is still believed by what…90% of trump supporters or so? Sorry, but if you voted trump and still give the man enough benefit of doubt to support him over…well, anyone, really…then yes, we can say with good safety margin, that those people will believe anything as long as it comes from a politician in the leash of Dear Leader.

"…which insinuates that anyone who didn’t vote for Trump wouldn’t believe him and would understand the difference."

There are always idiots. Key difference is that idiocy and willful ignorance are considered an undesirable state of affairs among non-trumpers whereas it’s literal party policy among the pro-trumpers.

Hence yes, we can make that claim. That’s how sad a state of affairs we’re at right now.

"…making it so is a dangerous way of thinking."

It’s already self-evident that this is how things are. Made so by 70-90 million morons unwilling to believe Dear Leader could be wrong. Pointing to this state of affairs isn’t running any risk of invoking what is already there.

nasch (profile) says:

Re: Re: Re:3 'That took care of them, now why does my foo

insinuates that anyone who didn’t vote for Trump wouldn’t believe him and would understand the difference.

The first part yes, the second part no. There is no implication that non-Trump voters know the difference, only that they wouldn’t take the governor’s word for it. It seems like a pretty good bet to me.

This has nothing to do with politics, and making it so is a dangerous way of thinking.

Everything a governor says in his official capacity has something to do with politics.

This comment has been deemed insightful by the community.
Scary Devil Monastery (profile) says:

Re: Re: Re: 'That took care of them, now why does my foot hurt s

"Seriously? You’re making this political?"

It’s about the actions of an elected governor. It would take a blisteringly witless moron to assume it could somehow not be political given the primary actor is, in fact a politician pulling a less well thought out act of office.
Here’s a hint – leading with a demonstration you don’t understand the topic you’re upset about isn’t exactly making your case for Trump supporters…

"So you’re really willing to stand on the statement that "All non-Trump supporters understand the difference between a hacker and a responsible disclosure.""

Well, no. There are idiots in every camp. It’s just that among "non-trump supporters" stupid is considered an undesirable aberration, not official policy.

"Because that house of cards would topple really fast."

…and this you claim while shouting it at the castle walls from the pile of collapsed cards on the table.
At some point it ought to be inevitable that even a trump supporter manages to make a point without undermining their own argument from the first sentence. So far though, you guys have a "perfect" record in that regard…

Anonymous Coward says:

Re: Hmmm...

You’re giving them way too much credit.

Encryption on the client-side is next to useless. I’d be willing to gamble that the data in question was in the HTML as plain-text or another human-readable format.

Claiming the source code was encrypted is just a way for them to try to minimize the issue and discredit the reporters.

Even if I did give them the biggest possible benefit of the doubt, the data would probably have been base64-encoded instead of encrypted.

Anonymous Coward says:

Re: Re: Re: Hmmm...

Several children’s education shows call reading "decoding", so perhaps that what he’s think of? If he would watch these more, maybe he could master the skill of googling "view source", or even learn to read the right click menu which include "view page source" …… nope, too busy practicing his "cover your ass by attempting to kill the messenger".

This comment has been flagged by the community. Click here to show it.

David says:

Is this qualified immunity?

I get the appeal of qualified immunity: it means that you just need to claim dumb enough not to know what you are dealing with, and you win against the pesky elite of those who know what they are talking about. It’s exhilarating.

Problem is that it leads to positions getting filled by incompetent persons (like upper IQ limits for police officer applications) because they are both easier maintaince as well as immune against prosecution.

Now here we have a politician who is proud to parade his incompetence repeatedly to the applause of other incompetents, and like with qualified immunity for lawless police officers, we get effective qualified immunity for clueless politicians since voters will reward "owning the hackers".

Add to that the kill-all excuse "I believe otherwise because I seem to remember someone saying the Bible saying so, and while I never bothered actually studying it thoroughly myself, I’ll take that lame excuse over having to actually look at the details of how God’s creation works" of science not being allowed to impede on religion in schools, and the U.S. is really heaven for the stupid. All careers are open to them, and they get preferred treatment before the law and before public opinion.

ECA (profile) says:

Re: Is this qualified immunity?

"qualified immunity"
The ability to say, ‘no one told me that’
The idea that you dont need to teach them ANYTHING, and they have an excuse to be DUMB.
The ability to Fix a leaky faucet by calling a plumber, and not using a wrench to fix it. And pay $200+ for a $15+ 1 hour of work at most.
To have a low pressure tire, take it to the deal ship, be charged $50 to check all your tires, be sold 4 new tires, Leave the dealer ship and STILL have a low pressure tire.
To search on the net for sycology, and not find a thing, and not pay attention to the SPELL CHECK that suggests psychology.
To wonder around your home looking for your Glasses, and your spouse asks, ‘what you are looking for?’, you tell her, and she points UP, and you look at the ceiling, and they fall on the floor behind you, and you say, ‘What?’ and not see/hear the glasses hit the carpet.

This comment has been deemed funny by the community.
Anonymous Coward says:

Missouri Governor Mike Parson called a press conference in which he again called the journalists hackers and said he had notified prosecutors and the Highway Patrol’s Digital Forensic Unit to investigate. Highway Patrol?

Highway Patrol is clearly appropriate in this case as the offense took place on the information superhighway!

James Burkhardt (profile) says:

Re: Re:

49 of 50 states have a state police force. 15 refer to that force as highway patrol. The biggest job is handling jobs outside city jurisdictions, which i suppose at some points is mostly work writing moving violations and dealing with accidents. But they will be called in for any intra-state crimes that involve multiple local jurisdictions.

Anonymous Coward says:

people have got to wise up and realise that the most important thing happening atm is to suppress everyone except those in government, other politicians and all security service staff, along with any and all of their friends. us ordinary people are there (here) now simply to provide wealth and power for those above while they dont give a fuck what they take away from us! it’s the result that certain people tried to get through WWII, but achieving it without murdering millions and destroying the Planet in the process!

This comment has been deemed insightful by the community.
Anonymous Coward says:

It's even the wrong argument...

The governor and DESE are deflecting from the real problem:

  • Why was the website sending SSNs out, regardless of encryption?
  • Why did the website’s database HAVE SSNs in it in the first place?

You can’t leak what you don’t hold. You can’t lose by decryption what you don’t send. The auditor’s office called it out, they didn’t listen. Or they did the bare minimum to comply.

ECA (profile) says:

Re: It's even the wrong argument...

allot of places, have forgotten the basics of security in the first place.
The WHOLE system, probably, is integrated into the school system. When it pulls up the info it GRABS everything, insted of just the names and info it needs.
To many systems are designed like that. Insted of using Specific, and Supplied data, they link it to the MAIN system. Which can make the main system hackible. But they didnt need the hack, because the Data base grabbed everything.

Anonymous Coward says:

I think most of you miss what he’s doing. Do a google search on "governor parsons hack" and see what you find.

Hint, it won’t be "incompetent dipshit of a governor accuses responsible journalists….".

I went to FoxNews and they didn’t even mention the, um, hack.

He’s just successfully played the media to the only group that matters in Missouri Republicans.

This comment has been deemed insightful by the community.
Vermont IP Lawyer (profile) says:

Governor is also an expert on vaccination!

From his press release last month:

"Today, Governor Mike Parson announced that his administration will reject the Biden Administration’s attempt to enforce an unconstitutional, federal vaccine mandate for Missourians and private businesses. The Office of the Governor has been in communication with leadership from the Missouri General Assembly and the Attorney General’s Office to align resources for a pending legal fight.

"This assault on individual liberty and free enterprise is a poorly executed attempt by the Biden Administration to reset after its disastrous withdrawal from Afghanistan," Governor Parson said. "With our southern border in crisis and as we are experiencing out-of-control inflation, President Biden is desperate to divert attention from his failures. However, Missouri will not be a pawn in this publicity stunt that seeks to force Missourians to disclose private health care decisions and dictate private business operations.""

https://governor.mo.gov/press-releases/archive/governor-parson-condemns-biden-administrations-vaccine-mandate-vows-legal

This comment has been deemed insightful by the community.
That One Guy (profile) says:

Re: 'Only WE are allowed to disclose private information!'

Throws a fit over the idea that people might be told ‘stop being plague carriers and getting people killed’, attacks the messenger when they expose that his government screwed up and exposed SSN’s for a lot of people… what a charming scumbag.

However, Missouri will not be a pawn in this publicity stunt that seeks to force Missourians to disclose private health care decisions and dictate private business operations.""

Well that line didn’t age well.

This comment has been deemed insightful by the community.
Scary Devil Monastery (profile) says:

Re: Governor is also an expert on vaccination!

We can draw one of three plausible conclusions regarding the governor;

1) He knows what he’s talking about but needs to throw more red meat to his base of baying MAGA’s and appease Dear Leader in order to retain standing within the GOP.

2) He’s an ignorant asshole eager to blame the messenger for the failings of his administration.

3) Both of the above.

There’s always been this weird sort of one-upmanship from southern states about trying to prove which state is the most anachronistic, superstitious and backward…but is it just me or has that competition escalated radically in these past few years?

Anonymous Coward says:

Reminds me of publishers

If you want to read New York Times, you have to block their cookies. If you want to read Business Insider, you have to block their third-party scripts. Every publisher seems to have the notion that a "paywall" works by sending you all their content, then telling your browser to hide it.

How long is it before it is an act of "piracy" to change the settings in your browser, or to use one not made by Google?

This comment has been deemed funny by the community.
David says:

Re: Multi-step process, my ass

And some terrorism is just expanding pressure cookers that are closed by default. It’s really troubling that Techdirt is turning into a place where criminal hackers exchange tips about their favorite tools and workflows.

You don’t need to reply to that. You have already been earmarked.

bhull242 (profile) says:

Re: Re: Multi-step process, my ass

The things we’re talking about expanding are expressly designed to be expanded, and—in fact—that is their entire purpose. There’s nothing criminal about it.

Again, every browser has this tool, and its express purpose is to reveal these nodes and allow them to be expanded. You don’t even need to have much computer know-how or download any additional tools to do this.

Anonymous Coward says:

Surprised it was in the HTML source

I thought the standard nowadays was that the HTML source of the page is just a script tag to load the Javascript that loads the Javascript that loads the webapp, so there wouldn’t be anything of value in the source code. (The really high tech websites also include in the HTML a worthless "This page requires Javascript" warning. Budget sites omit that and just dump you to a blank page if the Javascript breaks.)

Anonymous Coward says:

Re: Surprised it was in the HTML source

Yeah, but this was ancient software from the dawn of the internet, when web pages were in web format and everybody assumed that a bank stupid enough to believe only YOU know a number that has to be given to a hundred different people would be out of business and that in any case it was none of YOUR concern if a bank handed out two hundred thousand dollars to a piece of paper with some vital statistics written on it.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »