Prosecutor declines to charge for St. Louis Post-Dispatch reporter labeled a ‘hacker’ by Missouri governor
A prosecutor for Cole County, Missouri, announced on Feb. 11, 2022, that no charges would be filed against St. Louis Post-Dispatch reporter Josh Renaud, who was described as a “hacker” after uncovering a flaw in a state database that allowed public access to thousands of educators' Social Security numbers in October 2021.
“This decision is a relief. But it does not repair the harm done to me and my family. My actions were entirely legal and consistent with established journalistic principles,” Renaud said in a statement after the announcement.
According to television station KRCG, Cole County Prosecutor Locke Thompson said there was an argument to be made that the law had been violated but the issues at the heart of the investigation were resolved through non-legal means.
“As such, it is not in the best interest of Cole County citizens to utilize the significant resources and taxpayer dollars that would be necessary to pursue misdemeanor criminal charges in this case,” Thompson said.
Ian Caso, the St. Louis Post-Dispatch publisher, said in a statement to the outlet that he was pleased prosecutors realized “there was no legitimate basis for any charges against the St. Louis Post-Dispatch or our reporter.”
“This matter should have never gone beyond the state’s initial, intended response, which was to thank the reporter for the responsible way he handled the situation. Instead, too much taxpayer money has been wasted in a politically-motivated investigation," Caso said.
According to the Post-Dispatch, Gov. Mike Parson continued to express “vehement confidence that a case would be brought” against the journalist as late as Dec. 29. Parson’s office issued a statement saying the decision “was properly addressed.”
“The state did its part by investigating and presenting its findings to the Cole County prosecutor, who has elected not to press charges, as is his prerogative,” spokeswoman Kelli Jones said.
Missouri Gov. Mike Parson and Education Commissioner Margie Vandeven accused St. Louis Post-Dispatch journalist Josh Renaud of “hacking” a state website on Oct. 13, 2021, after Renaud reported a flaw in the website that exposed educators’ Social Security numbers. The following day, Parson announced an investigation into the alleged hacking and said the state would pursue criminal prosecution and a civil lawsuit against Renaud and the newspaper, the Post-Dispatch reported.
Renaud discovered the vulnerability on a website maintained by the state’s Department of Elementary and Secondary Education while using a web application that allowed the public to search teacher certifications and credentials. While no private information was publicly visible, the Social Security numbers of 100,000 educators were contained in the HTML source code of the pages.
After identifying the flaw on Oct. 12, the Post-Dispatch reported the vulnerability to DESE and held Renaud’s report until the information was removed from the state website, according to the article.
In a letter sent to educators the following day, Vandeven characterized the journalist’s actions as hacking, though she did not identify Renaud by name. Vandeven alleged that, “Through a multi-step process, an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security (SSN) of those specific educators.”
A cybersecurity professor at the University of Missouri-St. Louis, Shaji Khan, told the Post-Dispatch the data on the website had been encoded but not encrypted, making it easily accessible by anyone with a basic knowledge of web design and functionality.
On Oct. 14, Parson also asserted that Renaud was a hacker during a press conference, and said he had referred the case to the Cole County prosecutor and the Missouri State Highway Patrol’s Digital Forensic Unit.
“This individual is not a victim. They were acting against the state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet,” Parson said. “We will not let this crime against Missouri teachers go unpunished and we refuse to let them be a pawn in the news outlet’s political vendetta. Not only are we going to hold this individual accountable but we will also be holding accountable all those who aided this individual and the media corporation that employs them.”
According to The Washington Post, the governor’s office indicated that Renaud may have violated a Missouri law against “tampering with computer data” — a misdemeanor punishable by up to a year in jail and a $2,000 fine — and that another Missouri code allows a civil suit for damages.
When reached via email, Parson’s Communications Director Kelli R. Jones said she could not comment any more than what was already public, but provided the same Missouri statutes and a link to the Office of Administration’s press release.
“This information was not freely available, and there was no authorization given to tamper with computer data,” Jones said.
DESE Chief Communications Officer Mallory McGowin also declined to comment further and pointed to the OA press release, noting it is where the Information Technology Services Division is housed.
In response to an emailed request for comment from Renaud, the Post-Dispatch also declined to comment further, citing the ongoing investigation. In a statement provided by the outlet from Post-Dispatch Attorney Joe Martineau, he said Renaud acted responsibly by reporting his findings.
“A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent,” Martineau said. “For DESE to deflect its failures by referring to this as ‘hacking' is unfounded. Thankfully, these failures were discovered.”
Freedom of the Press Foundation said Parson’s threats illustrate a fundamental misunderstanding of digital security.
“Whether expressly or unintentionally, this is an effort to intimidate a reporter who is doing important reporting and uncovering a newsworthy story,” said Parker Higgins, advocacy director at FPF, where the U.S. Press Freedom Tracker is housed.
In an editorial responding to Vandeven’s assertions and Parson’s threats, the Post-Dispatch defended Renaud’s actions of alerting the state to the vulnerability and holding the story until the web feature was disabled.
“Predatory hackers don’t behave that way. Responsible journalists do. This is watchdog journalism at its finest,” the Editorial Board wrote. “The reactions by Parson and Vandeven seem designed to distract the public and hide the state’s embarrassment over its own gross negligence.”
Editor’s Note: This article has been updated to reflect comments from the Missouri governor’s communications office and Margie Vandeven’s communications team.