- The governor of Missouri is calling for criminal charges against a reporter who found social security numbers exposed online.
- The reporter found that the SSNs of over 100,000 teachers were viewable on a government site.
- Gov. Mike Parson labeled the reporter a "hacker" and demanded an investigation – which cyber experts say makes no sense.
Missouri Gov. Mike Parson is demanding a criminal investigation into a journalist who found social security numbers exposed on a state website – a reaction that cybersecurity experts say makes no sense.
On Wednesday, St. Louis Post-Dispatch reporter Josh Renaud published a story revealing that the state's education department website exposed the SSNs of over 100,000 employees including teachers and administrators. All Renaud had to do to view the SSNs was open "inspect element" to view the page's source code, which anyone can do with two clicks of a mouse.
Renaud first disclosed the exposure to the state on Tuesday and waited until the issue was fixed before publishing his story – a well-established best practice in cybersecurity reporting.
But after the story went live, Parson held a press conference Thursday slamming Renaud as a "hacker" and calling on state prosecutors to conduct a criminal investigation into his report.
"We will not let this crime against Missouri teachers go unpunished," Parson said. "They were acting against a state agency to compromise teachers' personal information in an attempt to embarrass the state and sell headlines for their news outlet."
Parson's remarks have been met by widespread bewilderment and outrage from cybersecurity experts, who say Renaud disclosed the exposed data responsibly and that using a web browser's "inspect element" tool does not constitute hacking.
"Hitting F12 in a browser is not hacking," SocialProof Security CEO Rachel Tobac said in a tweet. "Fix your website." Another cybersecurity researcher, Matt Blaze, admonished Parson for moving to "call the cops" on someone who "quite responsibly" disclosed the vulnerability.
A day after Parson's press conference, Cybersecurity and Infrastructure Security Agency director Jen Easterly tweeted that the agency relies on researchers who "find and responsibly disclose vulnerabilities" - a message interpreted by some to reference Parson's remarks. A CISA spokesperson declined to comment beyond Parson's tweet when reached by Insider.
-Jen Easterly (@CISAJen) October 15, 2021
Despite Parson's bluster, it's unlikely that any criminal charges will be filed against Renaud. As TechCrunch reports, a recent Supreme Court ruling found that in order to violate federal anti-hacking laws, a person has to obtain information from a computer that they can't normally access - meaning information available on a public website is unlikely to be considered off-limits.
St. Louis Post-Dispatch publisher Ian Caso said in a statement that the newspaper stands by Renaud, who "did everything right."
"It's regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website's problem," Caso said.