JEFFERSON CITY, Mo. — Before blaming the St. Louis Post-Dispatch, the Missouri Department of Elementary and Secondary Education was preparing to thank the newspaper for discovering a significant data vulnerability, according to records obtained by the Post-Dispatch through a Sunshine Law request.
In an Oct. 12 email to officials in Gov. Mike Parson’s office, Mallory McGowin, spokeswoman for DESE, sent proposed statements for a press release announcing the data vulnerability the newspaper uncovered.
“We are grateful to the member of the media who brought this to the state’s attention,” said a proposed quote from Education Commissioner Margie Vandeven.
The Parson administration and DESE did not end up using that quote.
The next day, on Oct. 13, the Office of Administration issued a news release calling the Post-Dispatch journalist a “hacker.”
And on Oct. 14, Parson held a news conference to rail against the Post-Dispatch and announce a criminal investigation by the Missouri State Highway Patrol.
“We will not let this crime against Missouri teachers go unpunished,” Parson said at the news conference. “And we refuse to let them be a pawn in the news outlet’s political vendetta. Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them.”
The Post-Dispatch reported on the vulnerability the night before, saying a flaw on a DESE website left more than 100,000 Social Security numbers of educators vulnerable to disclosure.
The newspaper didn’t publish its report until after the state moved to protect the vulnerable information.
A web application that allowed the public to look up teacher certifications and credentials contained the vulnerability, the newspaper reported.
No private information was clearly visible. The Social Security numbers for school teachers, administrators and counselors were present in the HTML source code of the publicly available pages involved.
Emails obtained by the newspaper document the administration’s shift in tone.
At 1:18 p.m. on Oct. 13, McGowin emailed Kelli Jones and Johnathan Shiflett, who both work in the governor’s office, to say Vandeven wanted her to meet with governor’s office officials.
“Margie asked me to come over and meet you all — on my way,” she said.
In a draft news release sent at 3:46 p.m., McGowin used the word “individual” to refer to the Post-Dispatch reporter. At 4:20 p.m., Shiflett sent a draft that used the word “hacker” instead to refer to the reporter.
“Mallory — we only made a few additional edits after yours,” Shiflett said.
Meanwhile, at 3:24 p.m. on Oct. 13, Angie Robinson, cybersecurity specialist for the state, emailed Department of Public Safety Director Sandra Karsten to inform her that she had forwarded emails from the Post-Dispatch to Kyle Storm with the FBI in St. Louis.
“Kyle informed me that after reading the emails from the reporter that this incident is not an actual network intrusion,” she said.
Instead, she wrote, the FBI agent said the state’s database was “misconfigured.”
“The misconfiguration allowed open source tools to be used to query data that should not be public,” she wrote.
“Kyle said the FBI would speak to Gwen Carroll, the AUSA (assistant U.S. attorney), with the updated information from the emails to see if this still fit the crime and if she was interested in prosecuting,” Robinson said.
Karsten forwarded the email to Aaron Willard, who is Parson’s chief of staff, as well as Vandeven, Jones and other administration officials.
As of Tuesday, the Highway Patrol’s investigation was still active, Capt. John Hotz told the Post-Dispatch.
———
