Missouri Gov. Mike Parson listens to a question at a press conference.
Enlarge / Missouri Gov. Mike Parson at a press conference in May 2019.

A police report debunks the claim that a journalist who helped the state identify and fix a website security flaw was ahacker and criminal.

In October, Parson demanded the investigation and called for criminal charges against the reporter. The Republican governor said that he would not allow this crime against Missouri teachers to be unpunished, and that he was acting against a state agency to compromise teachers personal information in an attempt to disgrace the state and sell headlines for their news outlet.

According to the police report, Renaud did exactly what he said he would do from the beginning: He identified a security flaw by viewing publicly available code on a state website and waited to publish his findings until after the state closed the security hole.

The security flaw was discovered by the police report. The mistake allowed anyone to search for information about teachers on the Department of Elementary and Secondary Education website. The report said that Social Security numbers may have been exposed for up to 576,000 teachers.

The Missouri State Highway Patrol police report was posted yesterday by the Post-Dispatch along with an article about the report. Three officers were involved in the investigation. The Post-Dispatch wrote that there was no cost estimate.

Advertisement

Prosecutor closed investigation without charges

Cole County Prosecutor Locke Thompson received the police report about two months ago. Thompson announced on February 11 that he closed the investigation without charges and that the issues at the heart of the investigation have been resolved through non-legal means.

The police report states that interviews were conducted in October with state employees, and that Shaji Khan is a professor at the University of Missouri-St. Louis helped verify the vulnerability. The case was closed on October 29 but was listed as a suspect in the report.

The report shows that state officials knew that no crime had been committed and that they should never have maintained a public website with such a security flaw. The report clearly shows that state officials committed all of the wrongdoing.

Reporter “only accessed open public data”

According to the police, the problem was an error or oversight when the application was developed, and that the vulnerability would have been there since 2011.

She stated that Mr. Renaud only accessed publicly available data. According to the police report, she said that Josh Renaud only accessed open public data.

The Post-Dispatch reported in October that 100,000 Social Security numbers had been exposed, but Mrs. McGowin said the data would have dated back to 2005. The initial estimate of 100,000 was based on the current year, and he said he observed information indicating other years of information and possibly retirees.

The database is overseen by the Office of Administration, which the governor controls, according to the Post-Dispatch.