Missouri to Prosecute ‘Hacker’ Who Informed State About Data Leak

• Missouri Governor threatened to take up legal action against a reporter who found a cybersecurity blunder.
• The journalist discovered educators' social security numbers exposed in the Department of Elementary and Secondary Education website's source code.
• The data leak was exposed after the state was informed and the site was taken down.

A St. Louis Post-Dispatch newspaper journalist discovered 100,000+ clearly visible school teachers', administrators', and counselors' social security numbers in the Missouri educational agency's HTML source code while browsing the internet. The Department of Elementary and Secondary Education (DESE) took down the website on the same day and is now searching for further lapses.

The publication consulted with a cybersec professor before informing the agency about the leak and waited for the issue to be resolved before publishing the findings. Of course, considering the SSNs were shown in the HTML source code, anyone who used a browser could see it without too much effort.

However, Missouri Governor Mike Parson took Twitter to promise legal prosecution for the reporter who discovered the security issue and any accomplices. He proceeded to call the unidentified journalist a hacker and asked Cole County prosecutor and the Missouri State Highway Patrol's Digital Forensic Unit to investigate. Moreover, Governor even said he'd make the people who found the blunder pay "as much as $50 million" in incident-response costs.

According to Gov. Parson, the journalist drew up the records of at least three educators, "decoded the HTML code," and gained access to the Social Security Numbers. While this may seem a solid reason to suspect foul play, for anyone who knows how browsers work, it's not. The HTML encoded data is directly interpreted by the browser itself, so the Social Security Numbers were already decoded by the browser, and the journalist did not "hack" anything to get them.

Jake Williams, co-founder and CTO at incident-response provider BreachQuest, and Tim Wade, technical director and CTO team at AI cybersecurity company Vectra, agree that discovering these blunders is quite shocking in 2021, and politicians have not learned from previous mistakes. This is close to a similar event back in 2017 where then-Georgia Secretary of State Brian Kemp accused cybersecurity researchers of “hacking” when they procured voter records from a Kennesaw State web server.” No charges were filed for that incident and the eventual outcome of this event is also up for speculation.

Meanwhile, Prof Khan of U. Missouri, the consulting cybersec professor the newspaper contacted, recommended the state should audit their apps to mitigate these cybersecurity lapses. He called this blunder "mind-boggling" and questioned how the DESE could commit such a huge mistake. According to the recommendation, the DESE initiated an audit on Tuesday which, as of Wednesday, has returned no red flags yet.