A journalist who uncovered a security flaw on a Missouri Department of Elementary and Secondary Education’s web application that allowed the public to search teacher certifications and credentials should be commended.
But Missouri’s governor and the affected state agency think otherwise.
The St. Louis Post-Dispatch found that the Social Security numbers of perhaps 100,000 teachers and school officials were in the HTML source code of the pages involved. No private information was clearly visible. The newspaper reported the flaw to the state agency and waited to publish any report until the information was removed from the state website.
This is how watchdog journalism should work. This is a prime example of how the media can not only monitor a government’s actions, but also how they can be community advocates by alerting the appropriate agency to safeguard the teachers’ information.
Gov. Mike Parson instead went after the messengers, announcing a criminal investigation and saying that the news outlet would be held accountable.
The Missouri Department of Elementary and Secondary Education released statements describing the Post-Dispatch journalist as a “hacker.” The following day, Parson said the “individual” was attempting to “embarrass the state and sell headlines for their news outlet.”
The governor continued: “We will not let this crime against Missouri teachers go unpunished. And we refuse to let them be a pawn in the news outlet’s political vendetta.”
If the goal was to “embarrass the state,” the newspaper could have gone forward with the story without alerting the state agency or kept silent and risked seeing the information fall into the hands of real hackers with malicious intent.
For his part, Parson said the state is “working to strengthen our security to prevent this incident from happening again. The state is owning its part, and we are addressing areas in which we need to do better than we have done before.”
That’s where this investigation should begin and end.
The data on the website was encoded but not encrypted, said Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis. No one can view encrypted data without the specific decryption key used to hide the data. But encoded just means the data is in a different format and can be relatively easily decoded and viewed.
“Anybody who knows anything about development — and the bad guys are way ahead — can easily decode that data,” Khan said.
The bigger problem is that the sensitive data was there at all — and that’s why the journalist and the Post-Dispatch should be praised, not investigated.