Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Missouri governor Mike Parson threatens to prosecute reporter who found website security flaw

Politician accused of dodging blame and having ‘fundamental misunderstanding’ of how internet works

Jon Sharman
Friday 15 October 2021 11:59 BST
Comments
Missouri governor threatens reporter with 'hacking' prosecution

Missouri’s governor has accused a news reporter of hacking a state web page and threatened to prosecute him, after the journalist warned that teachers’ private data was publicly accessible in the site’s source code.

Tens of thousands of social security numbers were visible as plain text within the HTML structure of an application that allowed users to review educators’ credentials, according to a St Louis Post-Dispatch report.

The newspaper alerted Missouri officials after discovering the vulnerability and waited until it had been addressed before publishing its story on Thursday.

In response to the embarrassing coverage, Missouri’s Republican governor Mike Parson called the Post-Dispatch reporter a “hacker” and ordered prosecutors to investigate.

He tweeted: “A hacker is someone who gains unauthorised access to information or content. This individual did not have permission to do what they did. They had no authorisation to convert and decode the code.”

After his comments were widely criticised, Mr Parson insisted the “hack” was “more than a simple ‘right-click’”. However, any web user can inspect a site’s source code with a few mouse clicks. This is a standard feature of browser software.

Making clear he intended to shoot the messenger, Mr Parson said in a press conference the Post-Dispatch reporter was “not a victim”.

He added: “They were acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet. We will not let this crime against Missouri teachers go unpunished.”

Criticism was even levelled by figures within Mr Parson’s own party. Tony Lovasco, a GOP state senator, tweeted that the governor’s office “has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities”.

The Post-Dispatch’s president and publisher, Ian Caso, stood by the story and the reporter, who he said “did everything right”. A lawyer for the paper said the reporter involved had acted responsibly and that there had been “no breach of any firewall or security and certainly no malicious intent”, meaning he had not broken the law.

And a spokesperson for the AFT St Louis, Local 420 teachers’ union said it was “concerned over the attempt to deflect responsibility and politicise what is very obviously a security breach by the state”.

Additional reporting by Associated Press

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in