More than two weeks after a newspaper reporter showed Missouri officials that a state education agency website was exposing teachers’ Social Security numbers, the state purchased credit-monitoring services for the people whose information may have been affected.
According to the St. Louis Post-Dispatch, Missouri last Friday awarded a $4.5 million contract to Identity Theft Guard Solutions Inc., an Oregon firm, to notify more than 100,000 educators that their personal information was potentially exposed and provide them with free credit monitoring through February.
Though complimentary credit monitoring is a routine offering after a data leak or breach, Missouri Gov. Mike Parson over the weekend continued to dig into his accusation that the Post-Dispatch was “hacking” the state government when its reporter notified the Department of Elementary and Secondary Education about the website flaw.
“Why would you even be doing that?” Parson said in an interview with “This Week in Missouri Politics,” a local television talk show. “Why would anybody, whether it’s the media, whether it’s the private sector, why would you be trying to get into a system? If you see an opening there, why would you not simply say, ‘Hey, you’ve got a problem here.’”
Emails between the Post-Dispatch and the Department of Elementary and Secondary Education obtained by StateScoop show that the reporter, Josh Renaud, told state officials he would withhold publication of his initial story for up to two days so the flaw — which included teachers’ Social Security numbers exposed in HTML code — could be addressed.
Renaud also provided officials with detailed steps of how he found and confirmed the vulnerability, which were confirmed by a computer-science professor at the University of Missouri—St. Louis. Independent vulnerability researchers told StateScoop Renaud did “nothing out of line.”
The Post-Dispatch has continued to stick by its reporting, telling StateScoop last week that, “We believe no basis exists to justify any investigation.”
While a website’s HTML is readily available in any desktop browser, Parson has described the Post-Dispatch’s reporting as an elaborate operation worthy of an investigation by the Missouri State Highway Patrol’s cybercrime unit, a charge he repeated during the interview.
“It’s much more than a right click,” he said. “Because you got to talk about decoders and all these kinds of things that were used.”
Parson also appeared to question the practice of vulnerability disclosure in general and said he would also want to see criminal charges filed if a state employee was found to have helped the Post-Dispatch discover the website flaw.
“It’s against the law to do this,” he said. “It doesn’t matter whether it’s the Post-Dispatch. It doesn’t matter if it’s a private citizen.”