Missouri Gov. Mike Parson is threatening to sue a reporter and newspaper who discovered and responsibly disclosed a security breach that has left the social security numbers of teachers and education staff exposed and easily accessible.
The St. Louis Post-Expedition reports that it informed the Missouri Department of Elementary and Secondary Education (DESE) that one of its tools returned HTML pages containing employee SSNs, potentially endangering the information of more than 100,000 employees. Despite the outlet waiting for the tool to be withdrawn by the state to publish its story, the reporter was labeled a “hacker” by Governor Parson, who says he will involve the county prosecutor and investigators.
According to Post-shipment, the tool that contained the vulnerability was designed to allow the public to see the credentials of teachers. However, he also reportedly included the employee’s SSN in the page he returned – while it apparently did not appear as visible text on the screen, KrebsOnSecurity reports that it would be as easy to access it as right-clicking the page and clicking Inspect Item or View Source.
While the reporter followed standard protocols to disclose and report the vulnerability, the governor treats him as if he were attacking the site or trying to gain access to the teacher’s private information for nefarious purposes.
At a press conference, Governor Parson called the journalist’s actions “decoding the HTML source code”, making him suspicious and underground. However, it literally describes how viewing a website works – it’s the server’s job to send an HMTL file to your computer so you can see it, and whatever is included in that file does. is not secret (although it is not physically visible on your screen when viewing this web page). Governor Parson says that nothing on the DESE website gave users permission to access the SSN data, but it was provided free of charge.
You can see the governor’s full press conference below.
The edge contacted Missouri DESE to clarify if the tool was publicly available or required login, but did not immediately receive a response. Of course, being reachable is an issue whether or not it is behind a connection.
Missouri’s response is, to put it bluntly, the exact opposite of standard practice. Many organizations have bug or security bounties worth hundreds of thousands of dollars, which they will pay to hackers who responsibly find and disclose vulnerabilities like these. The reason they exist is that they will make your systems more secure – yes, people will search and find vulnerabilities, but there was probably someone already doing it anyway. With a bug bounty, they tell you so that you can fix it rather than selling this information on the dark web or using it for personal gain. Obviously, these types of amounts are unreasonable for school districts, which often have underfunded IT departments due to tight budgets, but there are many options between paying large sums of money and threatening legal action. judicial.
Governor Parson said the incident could cost state taxpayers $ 50 million. If a malicious hacker had found the SSN treasure, it probably would have cost even more: the state would still have had to fix the system, and there would be teachers who would have solid claims against it if they needed to. . identity protection services.
Governor Parson (along with a press release from the Office of Administration) clarified that SSNs were only accessible one at a time – a list of all private information for all employees was not included in HTML files. But like everyone who watched the opening scene of Social network knows, it can be trivial for hackers to download all pages of an application and extract specific information from them. It is not because the journalist did not do it (it would undoubtedly have been irresponsible if he had done so) that it was not possible and does not talk about good security practices.
To be clear: suing the reporter, the media outlet, and anyone involved will only serve to endanger the people of Missouri, as no one will want to report the security holes they have found in public systems if the response from the ‘The state will send the police after them. Security breaches like this are extremely regrettable, but they will inevitably occur (the Post-shipment reports that DESE was found to have stored student SSNs by an audit in 2015). With public entities like businesses, the real test isn’t whether it happens, but how you respond to it. Unfortunately, it appears that Governor Parson fails this test.
- Facebook banned a developer who was helping people use the site less
- RaidForums data marketplace accidentally exposes private staff page
- Apple silently fixes iOS day zero, asks bug reporter to shut up
- The Telegraph exposes 10TB database with subscriber information
- No identifying information or card number exposed in the data breach