Missouri’s governor has accused a news reporter of hacking a state web page and threatened to prosecute him, after the journalist warned that teachers’ private data was publicly accessible in the site’s source code.
Tens of thousands of social security numbers were visible as plain text within the HTML structure of an application that allowed users to review educators’ credentials, according to a St Louis Post-Dispatch report.
The newspaper alerted Missouri officials after discovering the vulnerability and waited until it had been addressed before publishing its story on Thursday.
In response to the embarrassing coverage, Missouri’s Republican governor Mike Parson called the Post-Dispatch reporter a “hacker” and ordered prosecutors to investigate.
He tweeted: “A hacker is someone who gains unauthorised access to information or content. This individual did not have permission to do what they did. They had no authorisation to convert and decode the code.”
After his comments were widely criticised, Mr Parson insisted the “hack” was “more than a simple ‘right-click’”. However, any web user can inspect a site’s source code with a few mouse clicks. This is a standard feature of browser software.
Making clear he intended to shoot the messenger, Mr Parson said in a press conference the Post-Dispatch reporter was “not a victim”.
He added: “They were acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet. We will not let this crime against Missouri teachers go unpunished.”
Criticism was even levelled by figures within Mr Parson’s own party. Tony Lovasco, a GOP state senator, tweeted that the governor’s office “has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities”.
The Post-Dispatch’s president and publisher, Ian Caso, stood by the story and the reporter, who he said “did everything right”. A lawyer for the paper said the reporter involved had acted responsibly and that there had been “no breach of any firewall or security and certainly no malicious intent”, meaning he had not broken the law.
And a spokesperson for the AFT St Louis, Local 420 teachers’ union said it was “concerned over the attempt to deflect responsibility and politicise what is very obviously a security breach by the state”.
Additional reporting by Associated Press