Missouri governor vows criminal prosecution of reporter who found flaw in state website • Missouri Independent

I’m shocked… shocked that a reporter published a newsworthy story about a rookie cyber-blunder made by a powerful government agency.

A reporter viewed the HTML code (a one-click process on many web browsers) and noticed that the social security numbers of school teachers and administrators were embedded in web pages served up by Missouri’s department of education.

The reporter contacted the agency, and held the story until the problem was fixed. The governor is now calling the reporter a “hacker,” and vowing legal action.

“The state is committed to bring to justice anyone who hacked our system and anyone who aided and abetted them to do so,” Parson said, later arguing that the reporter was “attempting to embarrass the state and sell headlines for their news outlet.”

Republican state Rep. Tony Lovasco, who according to his legislative biography has worked in software deployment and maintenance, tweeted Thursday that “it’s clear the Governor’s Office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities.

“Journalists responsibly sounding an alarm on data privacy is not criminal hacking,” he said.

Chris Vickery, a California-based data security expert, told The Independent that it appears the department of education  was “publishing data that it shouldn’t have been publishing.

“That’s not a crime for the journalists discovering it,” he said. “Putting Social Security numbers within HTML, even if it’s ‘non-display rendering’ HTML, is a stupid thing for the Missouri website to do and is a type of boneheaded mistake that has been around since day one of the Internet. No exploit, hacking or vulnerability is involved here.” —Missouri Independent