Missouri Gov. Mike Parson (R) is branding a journalist as a “hacker” and threatening to prosecute them for discovering a serious flaw in a government website that left people’s personal information easily accessible.
Parson, who clearly doesn’t know what a hacker is, lashed out against a reporter from the St. Louis Post-Dispatch on Thursday after the newspaper published a story earlier this week that detailed how the social security numbers of 100,000 Missouri teachers were left vulnerable on a state Department of Elementary and Secondary Education website.
The reporter, Josh Renaud, found that the social security numbers were in the HTML source code of the website. Anyone can see the source code of a website by right-clicking and selecting “view page source” or pressing F12. The newspaper even delayed publication of its story to allow for officials to protect the easily visible private information and allow other agencies to check to make sure there weren’t similar issues, according to its report.
That simple act of right-clicking apparently has Parson worked up.
During a press conference on Thursday, the governor said that he has referred the matter to the Cole County prosecutor and asked the Missouri State Highway Patrol’s Digital Forensic Unit to conduct an investigation.
He then immediately followed that up by saying the investigation and diversion of resources may cost Missouri $50 million, meaning “this matter is a serious matter.”
Joe Martineau, an attorney for the St. Louis Post-Dispatch, told KrebsOnSecurity that calling what the reporter did “hacking” was “unfounded.”
“A hacker is someone who subverts computer security with malicious or criminal intent,” Martineau said. “Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”
Meanwhile, Sen. Ron Wyden (D-Ore.) criticized Parson for unleashing “attack dogs” on the reporter and news outlet.
“Journalism isn’t a crime. Cybersecurity research isn’t either. Real leaders don’t unleash their attack dogs on the press when they expose government failures, they roll up their sleeves and fix the problem,” Wyden wrote in a tweet.
As news of Parson’s claims spread, he was met with mockery by people online.
“Hitting F12 in a browser is not hacking. If your code leaks personal data via public development tools that any person can see by simply pressing F12 on a keyboard then you have a huge data leak issue, not a hacking situation, on your hands. Fix your website,” Rachel Tobac, a hacker and CEO of SocialProof Security, tweeted.
You can read all of the St. Louis Post-Dispatch report here.