A newly released police report thoroughly debunks Missouri Gov. Mike Parson’s baffling claim that a journalist who helped the state identify and fix a website security flaw was a “hacker” and criminal.
Parson demanded the investigation in October and called for criminal charges against St. Louis Post-Dispatch reporter Josh Renaud. “It is unlawful to access encoded data and systems in order to examine other people’s personal information, and we are coordinating state resources to respond and utilize all legal methods available,” Parson said at the time. The Republican governor claimed that Renaud was “acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet” and said his administration “will not let this crime against Missouri teachers go unpunished.”
But the resulting police report confirms in detail that Renaud did exactly what he said from the beginning: He identified a security flaw by viewing publicly available HTML code on a misconfigured state website and delayed publishing an article on his findings until after the state closed the security hole.
The police report also revealed that the security flaw had existed since 2011. The mistake exposed teachers’ Social Security numbers on a Department of Elementary and Secondary Education (DESE) website that allowed anyone to search for information about teachers. Up to 576,000 teachers’ Social Security numbers may have been exposed because the data goes back to 2005, the report said.
The Missouri State Highway Patrol police report was posted yesterday by the Post-Dispatch along with an article about the report. “The highway patrol said it spent about 175 hours on the investigation. Three officers assisted in the probe. No cost estimate was provided,” the Post-Dispatch wrote.
Prosecutor closed investigation without charges
The police report was provided to Cole County Prosecutor Locke Thompson about two months ago. Thompson announced on February 11 that he closed the investigation without charges and that “the issues at the heart of the investigation have been resolved through non-legal means.”
The police report paraphrases interviews conducted in October with state employees, Renaud, and Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis who helped Renaud verify the security vulnerability. The report lists Renaud as a “suspect” but listed the case as closed on October 29.
The report “show[s] that state officials knew both that no crime had been committed and that they should never have maintained a public website with such a major and elementary security flaw,” Khan’s attorney, Elad Gross, told Ars in a statement yesterday. The report “clearly shows that state officials committed all of the wrongdoing here,” he said.
Reporter “only accessed open public data”
Mallory McGowin, chief communications officer for DESE, told police that the problem identified by Renaud “was an error or oversight when ITSD [Information Technology Services Division] developed the application” and “stated the vulnerability would have been there since 2011, when the application was implemented.”
McGowin confirmed that Renaud only accessed publicly available data. “She stated from what she has observed, Mr. Renaud did not access anything that was not publicly available, nor was he in a place he should not have been. She said Josh Renaud appears [to] have only accessed open public data,” the police report said.
Thompson told the Missouri Independent that the investigation didn’t find “any criminal intent,” though he said it “may have technically been a crime” because a state law on tampering with computer data “does appear to be so vague that it basically describes someone using a computer to look up someone’s information.” The law bans accessing a computer system to intentionally examine information about another person, but specifies that it’s a crime only “if he or she [does so] knowingly and without authorization or without reasonable grounds to believe that he has such authorization.”
While the Post-Dispatch reported in October that the flaw exposed 100,000 Social Security numbers, it was apparently a lot more. “I asked Mrs. McGowin how many teachers were in the database, and she stated the data would have dated back to 2005, and the total number would be approximately 576,000,” Corporal Kyle Seabaugh wrote in the police report. Renaud told police the initial estimate of 100,000 was based on the current year, “and he said he observed information indicating other years of information and possibly retirees’ Social Security numbers were in the database.”
McGowin also “said the database—like other state computer services—is actually overseen by Parson’s Office of Administration, which the governor controls,” the Post-Dispatch said in its report yesterday.