Last week, the St. Louis Post-Dispatch revealed that the source code on a Missouri state website included the Social Security numbers of teachers, administrators, and counselors. The state government has reacted by blaming the Post-Dispatch.
Now, the governor is doubling down on that with a new attack ad.
“The Post-Dispatch discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials,” the paper reported, adding, “Based on state pay records and other data, more than 100,000 Social Security numbers were vulnerable.”
Before reporting on the vulnerability, the Post-Dispatch notified Missouri’s Department of Elementary and Secondary Education and held the story until it removed the affected pages.
Since then, the state has vehemently denied that it is to blame.
In a news release, the Office of Administration called the Post-Dispatch reporter a “hacker,” the paper reports. Gov. Mike Parson threatened criminal prosecution. State Education Commissioner Margie Vandeven accusingly said that “an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the Social Security number (SSN) of those specific educators.”
Now one of Gov. Parson’s allies has released an ad blaming the paper.
Earlier this week, Uniting Missouri published an ad calling the Post-Dispatch‘s reporting “fake news” and accusing it of “playing politics” by reporting on publicly available HTML source code on a government site.
“Governor Parson believes everyone is entitled to their privacy—especially our teachers,” the ad says, suggesting the SSNs being in the source code wasn’t the state’s fault in the first place.
“Exploiting private information is a squalid excuse for journalism, and hiding behind the noble principle of free speech to do it is shameful,” the ad’s narrator concludes menacingly.
Twitter users are not impressed. No one seems to believe that the paper is to blame. “This is it. We’ve achieved the stupidest take on the history of infosec,” tweeted @dodo_sec.
Some thought that the state should actually be grateful to the Post-Dispatch for pointing out the security issue.
One pointed out that viewing source code is a simple process that anyone can do in “approximately 10 seconds.”
“So @GovParsonMO isn’t just doubling down on the view source ‘hack,’ his friends are producing hilariously stupid commercials trying to make ethical breach disclosure appear nefarious. This is absurd and dangerous,” tweeted Mike Masnick, editor of Techdirt.
A University of Missouri-St. Louis professor who spoke to the Post-Dispatch for its story, whom the state has also accused of wrongdoing, is now demanding a public apology and compensation for “damage to his reputation,” a local NPR affiliate reports.
In a statement to the Daily Dot, the Post-Dispatch said it was heartening to see the case getting national attention.
“We’re pleased to see the support and interest generated from this story. It highlights the valuable work of our journalists. I’m grateful our reporter, Josh Renaud was able to uncover the problem and share it with the appropriate state officials. I think he should be commended for his work and sense of duty. We are surprised and disappointed at the governor’s response and deflection,“ Ian Caso, president and publisher of the St. Louis Post-Dispatch, said.
This post has been updated with comment from the St. Louis Post-Dispatch.