Newly Revealed Details Show That Missouri Government Totally Knew That Journalists Were Not At Fault For Teacher Data Vulnerability
from the of-course-they-knew dept
Kudos for open records laws proving to us that not only is Missouri Governor Mike Parson a technologically illiterate hack, but he's a lying one as well. You'll recall, of course, that in October, the St. Louis Post-Dispatch reported on how the state's Department of Elementary and Secondary Education (DESE) website was designed in such a dangerous way that it was exposing the social security numbers of state teachers and administrators, and rather than thanking the journalists for their ethical disclosure of this total security fail by the state, DESE and Governor Parson called them hackers and asked law enforcement to prosecute them. Governor Parson continued to double down for weeks, insisting that reporting this vulnerability (and failed security by the government he runs) was malicious hacking until DESE finally admitted it fucked up and apologized to the over 600,000 teachers and administrators whose data was vulnerable -- but never apologizing to the journalists.
The Post-Dispatch, whose reporters potentially still face charges, put out an open records request to find out more about what the government was saying and discovered, somewhat incredibly, that before DESE referred to them as hackers, it already knew that it was at fault here and even initially planned to thank the journalists. As the documents reveal, the FBI flat out told DESE that this was a DESE fuckup and DESE had sent Gov. Parson a planned statement that thanked the journalists:
In an Oct. 12 email to officials in Gov. Mike Parson’s office, Mallory McGowin, spokeswoman for DESE, sent proposed statements for a press release announcing the data vulnerability the newspaper uncovered.
“We are grateful to the member of the media who brought this to the state’s attention,” said a proposed quote from Education Commissioner Margie Vandeven.
The Parson administration and DESE did not end up using that quote.
The next day, on Oct. 13, the Office of Administration issued a news release calling the Post-Dispatch journalist a “hacker.”
This is truly incredible. As are the details of the conversation between a Missouri employee and a local FBI agent.
Meanwhile, at 3:24 p.m. on Oct. 13, Angie Robinson, cybersecurity specialist for the state, emailed Department of Public Safety Director Sandra Karsten to inform her that she had forwarded emails from the Post-Dispatch to Kyle Storm with the FBI in St. Louis.
“Kyle informed me that after reading the emails from the reporter that this incident is not an actual network intrusion,” she said.
Instead, she wrote, the FBI agent said the state’s database was “misconfigured.”
“This misconfiguration allowed open source tools to be used to query data that should not be public,” she wrote.
So, by the time of the "hacker" statement by DESE, it was already pretty clear to people within DESE that it was DESE at fault and not journalists ethically disclosing DESE's terribly bad security practices. However, the report also notes that the FBI and the local Assistant US Attorney were still investigating whether or not they could bring criminal charges against the journalists:
“Kyle said the FBI would speak to Gwen Carroll, the AUSA (Assistant U.S. Attorney), with the updated information from the emails to see if this still fit the crime and if she was interested in prosecuting,” Robinson said.
Oh, and even worse: technically the criminal investigation is still ongoing:
As of Tuesday, the Highway Patrol’s investigation was still active, Capt. John Hotz told the Post-Dispatch.
That investigation needs to be closed, and everyone involved from DESE to Governor Parson to the Highway Patrol owe the St. Louis Post-Dispatch, its reporters, and the citizens of Missouri a massive apology.
Filed Under: data breach, dese, ethical disclosure, mike parson, missouri, right click, view source, vulnerability
Companies: st. louis post-dispatch
