The state of Missouri is investigating the St. Louis Post-Dispatch's discovery of vulnerable data on a Department of Elementary and Secondary Education's web application with the intention to prosecute, the governor announced Thursday.
On Tuesday, personally identifiable information, including the Social Security numbers, of three Missouri teachers was accessed through a DESE web application tool from 2011 that local education agencies can use to verify the certificates held by educators.
Local education agencies can use the last four digits of an educator's Social Security number as a piece of unique information when searching to verify certifications.
"We also do not know why this individual is seeking to access, convert and take personal information from Missouri teachers," Parson said in a news conference Thursday. "But let me be clear, this administration is standing up against any and all perpetrators who will attempt to steal personal information and harm Missourians."
In an article published Wednesday night, the St. Louis Post-Dispatch identifies itself as the news outlet that discovered the vulnerability and reported the issue to DESE, prompting the web application to be disabled.
While the private information wasn't clearly visible or searchable on any DESE web pages, according to the article, the teachers' Social Security numbers were accessible in the HTML source code of the pages.
HTML source code is generally accessible to view through a web browser and acts as the back-end foundation for a web page.
The Post-Dispatch found the vulnerability and worked with three educators to confirm the nine-digit numbers were Social Security numbers, the article states. The newspaper then told DESE it confirmed the vulnerability with educators and a cybersecurity expert.
The Post-Dispatch delayed publication of its reporting to give the department time to remedy the flawed web application and assess potential flaws within other state government websites.
According to their reporting, more than 100,000 Social Security numbers of Missouri school teachers, administrators and counselors were vulnerable to public exposure.
"The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse," Post-Dispatch attorney Joseph Martineau said in a statement for the newspaper's Wednesday article. "A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent."
In a hasty news conference Thursday morning that did not provide time for questions, Parson said the records were taken in a multi-step process that involved viewing the website's HTML source code.
He said the individual who accessed the educators' information was not authorized and took steps to convert or decode the information, calling the reporter a "hacker."
"This data was not freely available and had to be converted and decoded in order to be revealed," Parson said.
The St. Louis Post-Dispatch disputes the characterization.
"For DESE to deflect its failures by referring to this as 'hacking' is unfounded," Martineau's statement continues. "Thankfully, these failures were discovered."
Parson said the state is working to identify the teachers whose information was compromised and any others who might also be compromised.
"This individual is not a victim. They were acting against a state agency to compromise teachers' personal information in an attempt to embarrass the state and sell headlines for their news outlet," Parson said. "We will not let this crime against Missouri teachers go unpunished, and we refuse to let them be a pawn in the news outlet's political vendetta."
Parson said his administration has notified Cole County Prosecutor Locke Thompson of the incident and is working with the Missouri State Highway Patrol Division of Drug and Crime Control to conduct an investigation of everyone involved.
Parson said the investigation could cost up to $50 million.
The results of the investigation will go to Thompson.
"Once the investigation is complete, I will review the evidence and determine whether criminal charges are appropriate," Thompson said.
Missouri Supreme Court rules prohibit Thompson from commenting further on pending investigations.
During the news conference Thursday, Parson cited state statute 569.095, which says a person commits computer data tampering if they knowingly and without permission access, take and examine personal information about another person.
He said the state is coordinating its resources to respond and will use all legal methods available to hold the individual reporter and newspaper accountable.
Tampering with computer data is a class A misdemeanor but could be considered a class E felony if the offense is to devise or execute a scheme to defraud or obtain property worth $750 or more.
Parson said the state would also be looking into a civil suit to recover damages against those involved.
House Minority Leader Crystal Quade, D-Springfield, said Thursday the governor should be thankful the Post-Dispatch caught the flaw and reported it to DESE.
"In the finest tradition of public interest journalism, the Post-Dispatch discovered a problem - one publicly discernible to anyone who bothered to look; it verified the problem with experts; and it brought the problem to the attention of state officials for remedial action," Quade said in a news release. "The governor should direct his anger towards the failure of state government to keep its technology secure and up to date and to work to fix the problem, not threaten journalists with prosecution for uncovering those failures."
Parson said the state is also working to strengthen security and address vulnerable areas.