Missouri website vulnerability was present since 2011, investigation finds
The website vulnerability disclosure that led Missouri Gov. Mike Parson to accuse a journalist of “hacking” the state last year stemmed from a flaw that had been around since 2011, according to a police report published Monday.
The Missouri State Highway Patrol released details of its investigation into the disclosure — which had been supplied to state officials last October by St. Louis Post-Dispatch reporter Josh Renaud — finding that a Missouri Department of Elementary and Secondary Education website had been inadvertently exposing teachers and other school employees’ personal identifying information, including Social Security numbers, since it was launched a decade ago.
The Post-Dispatch reported that education department spokesperson Mallory McGowin interviewed during the investigation told officers that Renaud did not access “anything that was not publicly available, nor was he in a place he should not have been.”
In his original story, Renaud reported that the teachers’ private information was visible via the site’s HTML code, which can be easily viewed with any web browser. But Parson reacted to Renaud’s reporting with the hacking allegation, vowing an investigation into the reporter and the Post-Dispatch, with possible prosecution to follow.
Cole County, Missouri, Prosecutor Locke Thompson announced earlier this month that Renaud will not face any charges, adding that such a case would not be a good use of taxpayer dollars. Renaud said that conclusion came as a “relief,” though it did not undo the “harm done to me and my family” or the chilling effects on journalism and vulnerability research that Parson’s actions could’ve caused.
According to the Missouri State Highway Patrol report, responsibility for the vulnerability appears to lie with the state Office of Administration and its Information Technology Services Division, which created and maintains the website for the Department of Elementary and Secondary Education.
The site, which has both a public side and a secure side available only to certain school-district employees, featured a search tool to look up educators’ qualifications and backgrounds. Officials interviewed during the course of the investigation said that as a member of the media, Renaud would’ve only had access to the public-facing portal. But the HTML code for the search tool revealed that Social Security numbers were not encrypted. With records dating back to 2005, an estimated 576,000 teachers’ information may have been exposed.
The search tool was deactivated shortly after Renaud shared his discovery with state officials, and the Post-Dispatch delayed publication of its initial report to give the state time to fix the flaw. But by the time the first story published the night of Oct. 13, McGowin had been “advised a criminal investigation was being initiated.” Parson made his public accusations the following morning.
An ITSD application developer and client manager later told state police investigators that data on the teacher lookup website should’ve been encrypted and that the site is now being redesigned to shield individuals’ private information. But the officials also said that in the 10 years since the site was launched, no one in the state’s IT division had noticed.