Missouri Governor Mike Parson threatens legal action against a reporter/paper that responsibly disclosed a security flaw that made teacher and educational staff's social security numbers easily accessible.
According to the St. Louis Post-Dispatch, it informed the Missouri Department of Elementary and Secondary Education that one of its tools was returning HTML pages containing employee SSNs. This could have potentially exposed the personal information of more than 100,000 employees. The reporter was called a hacker even though the outlet did not publish the story until the tool had been taken down by the state. Governor Parson said that he would be getting the county prosecutor involved.
The Post-Dispatch reports that the vulnerability was created to allow the public to see credentials of teachers. It reportedly included the SSN of employees in the page it returned, although it didn't appear as visible text. KrebsOnSecurity reports, however, that it was possible to access it by right-clicking on a page and clicking View Source or Inspect Element.
According to some reports, it was as simple as clicking View Source to see employees' SSNs.
The reporter reported on the vulnerability in accordance with standard procedures, but the governor treats him as though he was attacking the site or trying to gain the private information of teachers for his own purposes.
Governor Parson said that the reporter's actions were like decoding HTML source code. This makes it suspicious and clandestine. However, he is describing the process of viewing a website. It is the server's job to send an HMTL to your computer, so that you can view it. Anything in that file isn't secret, even if it isn't visible on your screen while viewing that particular webpage. Governor Parson claims that although DESEs website does not give users access to the SSN data, it was freely available.
Below is the complete press conference of Governors.
The Verge reached out to Missouri DESE for clarification on whether the tool was public or required login. In response, the DESE stated that its only comment (due the ongoing investigation) was that the data is now secure. It is an issue that it was accessible, regardless of whether it was behind login.
The governor's response is a blatant disregard for standard practice
Missouri's response is, to be blunt, completely contrary to standard practice. Many companies have security or bug bounties that are hundreds of thousands of dollars. They will pay hackers who discover and disclose such flaws. These bounties will make your system safer. Yes, hackers will find and exploit vulnerabilities. But, it is likely that someone already did that. A bug bounty is a way to get the information you need so that you can fix it, rather than selling it on the dark internet or for your own personal gain. These sums are not reasonable for school districts that often have inadequate IT departments. However, there are many options. You can either pay large amounts of money or threaten legal action.
Governor Parson claims that the incident could have cost the state taxpayers $50 millions. A malicious hacker could have found the SSN treasure trove, which would likely have been more costly. The state would still have to fix it, and teachers would have strong claims against it, if it needed identity protection services.
Even if you aren't publicly called out, vulnerabilities must still be fixed
Along with a press release from the Office of Administration, Governor Parson clarified that SSNs could only be accessed one at a given time. A list of employees' private information was not included in the HTML files. As anyone who has seen The Social Network's opening scene knows, hackers can easily download every page from an application and extract specific information. It doesn't necessarily mean that the reporter couldn't do it (although it would have been irresponsible for him to), nor does it mean that it was impossible.
Missourians are at risk if this disclosure is made.
Clear communication is key: Missourians will not be able to sue the reporter, the news outlet or anyone else involved. Missourians are at greatest risk as no one will report security problems in the public system if they have to send law enforcement after them. These security flaws are very unfortunate but will happen. The Post-Dispatch reported that in 2015, an audit revealed that the DESE had been keeping student SSNs. The real test with public entities and private companies is not whether or not it happens, but how you respond. It seems Governor Parson is failing this test.
Updated October 14, 2005 at 5:52 PM ET: Updated to reflect comments from the DESE.