Missouri Gov. Mike Parson launched a criminal investigation of a reporter who flagged a state website that exposed 100K+ Social-Security numbers for teachers and other state employees.
The St. Louis Post-Dispatch newspaper recently found a huge security blunder: The Missouri educational agency’s site was displaying 100,000+ clearly visible Social-Security numbers for school teachers, administrators and counselors in its HTML source code.
The newspaper verified its findings with a cybersecurity professor and then informed the agency responsible for the leaking site – the Department of Elementary and Secondary Education (DESE) – on Tuesday. On the same day, the DESE took down the affected pages. Then, on Wednesday, having waited to disclose the vulnerability until after the pages came down, the outlet published its story.
The next day, on Thursday morning, a naked emperor shot the messenger, as Missouri Gov. Mike Parson threatened legal action against whoever found the vulnerability and whoever may have helped them.
Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.
We notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit will investigate.