ST. LOUIS (AP) — A flaw in a state database that allowed public access to thousands of teachers’ Social Security numbers has been in place for a decade before a St. Louis Post-Dispatch reporter exposed it, according to a report that was released Monday.
Republican Gov. Mike Parson condemned reporter Josh Renaud last fall for writing about the weakness, even though the paper refrained doing so until after the state could fix it. Parson also said the Missouri State Highway Patrol would conduct an investigation, which culminated in the 158-page report that was released Monday.
The St. Louis Post-Dispatch reports that DESE spokeswoman Mallory McGowin told the patrol that Renaud hadn’t accessed “anything that was not publicly available, nor was he in a place he should not have been.”
According to the report, McGowin also told investigators with the patrol that a vulnerability that left 576,000 teacher Social Security numbers exposed “would have been there since 2011, when the application was implemented.”
The Post-Dispatch previously obtained records through an open records request showing that the state education commissioner initially planned to thank the newspaper for finding the problem. But the state instead issued a news release calling the reporter a “hacker.”
McGowin said the database — like other state computer services — is actually overseen by Parson’s Office of Administration, which the governor controls.
The highway patrol said it spent about 175 hours on the investigation. Three officers assisted in the probe. No cost estimate was provided.
The report’s release came more than a week after Cole County Prosecuting Attorney Locke Thompson announced he would not be charging Renaud in connection with the investigation.
The investigators also talked with cybersecurity expert Shaji Khan, who had verified for the Post-Dispatch that the flaw existed.
Khan, who teaches at the University of Missouri-St. Louis, said he was alarmed by the information he’d received about the vulnerability.
“He (Khan) stated by the time he was done looking, he realized how bad the situation was and indicated the state needed to be notified immediately,” the report notes.
Khan’s attorney, Elad Gross, said last week that Thompson would not be charging Khan either.
“Governor Mike Parson had no basis to instigate a criminal investigation into reporter Josh Renaud or cybersecurity expert Dr. Shaji Khan. These Missourians responsibly reported a security flaw on a public website that transmitted teachers’ social security numbers to every website visitor. They did the right thing,” Gross said in a statement.
For copyright information, check with the distributor of this item, St. Louis Post-Dispatch.
Get local news delivered to your inbox!