Missouri governor labels reporter a hacker, threatens criminal prosecution

October 13, 2021

Missouri Gov. Mike Parson and Education Commissioner Margie Vandeven accused St. Louis Post-Dispatch journalist Josh Renaud of “hacking” a state website on Oct. 13, 2021, after Renaud reported a flaw in the website that exposed educators’ Social Security numbers. The following day, Parson announced an investigation into the alleged hacking and said the state would pursue criminal prosecution and a civil lawsuit against Renaud and the newspaper, the Post-Dispatch reported.

Renaud discovered the vulnerability on a website maintained by the state’s Department of Elementary and Secondary Education while using a web application that allowed the public to search teacher certifications and credentials. While no private information was publicly visible, the Social Security numbers of 100,000 educators were contained in the HTML source code of the pages.

After identifying the flaw on Oct. 12, the Post-Dispatch reported the vulnerability to DESE and held Renaud’s report until the information was removed from the state website, according to the article.

In a letter sent to educators the following day, Vandeven characterized the journalist’s actions as hacking, though she did not identify Renaud by name. Vandeven alleged that, “Through a multi-step process, an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security (SSN) of those specific educators.”

A cybersecurity professor at the University of Missouri-St. Louis, Shaji Khan, told the Post-Dispatch the data on the website had been encoded but not encrypted, making it easily accessible by anyone with a basic knowledge of web design and functionality.

On Oct. 14, Parson also asserted that Renaud was a hacker during a press conference, and said he had referred the case to the Cole County prosecutor and the Missouri State Highway Patrol’s Digital Forensic Unit.

“This individual is not a victim. They were acting against the state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet,” Parson said. “We will not let this crime against Missouri teachers go unpunished and we refuse to let them be a pawn in the news outlet’s political vendetta. Not only are we going to hold this individual accountable but we will also be holding accountable all those who aided this individual and the media corporation that employs them.”

According to The Washington Post, the governor’s office indicated that Renaud may have violated a Missouri law against “tampering with computer data” — a misdemeanor punishable by up to a year in jail and a $2,000 fine — and that another Missouri code allows a civil suit for damages.

When reached via email, Parson’s Communications Director Kelli R. Jones said she could not comment any more than what was already public, but provided the same Missouri statutes and a link to the Office of Administration’s press release.

“This information was not freely available, and there was no authorization given to tamper with computer data,” Jones said.

DESE Chief Communications Officer Mallory McGowin also declined to comment further and pointed to the OA press release, noting it is where the Information Technology Services Division is housed.

In response to an emailed request for comment from Renaud, the Post-Dispatch also declined to comment further, citing the ongoing investigation. In a statement provided by the outlet from Post-Dispatch Attorney Joe Martineau, he said Renaud acted responsibly by reporting his findings.

“A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent,” Martineau said. “For DESE to deflect its failures by referring to this as ‘hacking” is unfounded. Thankfully, these failures were discovered.”

Freedom of the Press Foundation said Parson’s threats illustrate a fundamental misunderstanding of digital security.

“Whether expressly or unintentionally, this is an effort to intimidate a reporter who is doing important reporting and uncovering a newsworthy story,” ​​said Parker Higgins, advocacy director at FPF, where the U.S. Press Freedom Tracker is housed.

In an editorial responding to Vandeven’s assertions and Parson’s threats, the Post-Dispatch defended Renaud’s actions of alerting the state to the vulnerability and holding the story until the web feature was disabled.

“Predatory hackers don’t behave that way. Responsible journalists do. This is watchdog journalism at its finest,” the Editorial Board wrote. “The reactions by Parson and Vandeven seem designed to distract the public and hide the state’s embarrassment over its own gross negligence.”

Editor’s Note: This article has been updated to reflect comments from the Missouri governor’s communications office and Margie Vandeven’s communications team.

The U.S. Press Freedom Tracker catalogues press freedom violations in the United States. Email tips to [email protected]