Missouri state government officials planned to publicly thank a journalist who discovered a security flaw until a drastic change in strategy resulted in the governor labeling the journalist a “hacker,” while threatening both a lawsuit and prosecution.
As we wrote on October 14, St. Louis Post-Dispatch reporter Josh Renaud identified a security flaw that exposed the Social Security numbers of teachers and other school employees in unencrypted form in the HTML source code of a publicly accessible website. Renaud and the Post-Dispatch handled the problem the way responsible security researchers do—by notifying the state of the security flaw and keeping it secret until after it was fixed.
Despite that, Missouri Gov. Mike Parson called Renaud a “hacker” and said the newspaper’s reporting was nothing more than a “political vendetta” and “an attempt to embarrass the state and sell headlines for their news outlet.” The Republican governor said further that his “administration has notified the Cole County prosecutor of this matter,” that the Missouri State Highway Patrol’s Digital Forensic Unit would investigate “all of those involved,” and that state law “allows us to bring a civil suit to recover damages against all those involved.”
“We are grateful to the member of the media”
But only two days earlier, a government spokesperson was preparing a quote to publicly thank the journalist, as the Post-Dispatch reported today:
In an Oct. 12 email to officials in Gov. Mike Parson’s office, Mallory McGowin, spokeswoman for DESE [Department of Elementary and Secondary Education], sent proposed statements for a press release announcing the data vulnerability the newspaper uncovered.
“We are grateful to the member of the media who brought this to the state’s attention,” said a proposed quote from Education Commissioner Margie Vandeven.
The Parson administration and DESE did not end up using that quote. The next day, on Oct. 13, the Office of Administration issued a news release calling the Post-Dispatch journalist a “hacker.” And on Oct. 14, Parson held a news conference to rail against the Post-Dispatch and announce a criminal investigation by the Missouri State Highway Patrol.
“We will not let this crime against Missouri teachers go unpunished,” Parson said at the news conference. “And we refuse to let them be a pawn in the news outlet’s political vendetta. Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them.”
The Post-Dispatch obtained the October 12 email in a public-records request. The plan to thank the journalist was apparently scrapped by 1:18 pm on October 13, when “McGowin emailed Kelli Jones and Johnathan Shiflett, who both work in the governor’s office, to say Vandeven wanted her to meet with governor’s office officials,” the Post-Dispatch wrote. A draft news release emailed by McGowin at 3:46 pm, apparently after that meeting, referred to the journalist as an “individual.” A further revision emailed by Shiflett at 4:20 pm called him a “hacker.”