Missouri Governor's Office Responsible For Teacher Data Leak

An anonymous reader quotes a report from Krebs on Security: Missouri Governor Mike Parson made headlines last year when he vowed to criminally prosecute a journalist for reporting a security flaw in a state website that exposed personal information of more than 100,000 teachers. But Missouri prosecutors now say they will not pursue charges following revelations that the data had been exposed since 2011 -- two years after responsibility for securing the state's IT systems was centralized within Parson's own Office of Administration. [...]

On Monday, Feb. 21, The Post-Dispatch published the 158-page report (PDF), which concluded after 175 hours of investigation that [St. Louis Post-Dispatch reporter Josh Renaud] did nothing wrong and only accessed information that was publicly available. Emails later obtained by the Post-Dispatch showed that the FBI told state cybersecurity officials that there was "not an actual network intrusion" and the state database was "misconfigured." The emails also revealed the proposed message when education department leaders initially prepared to respond in October: "We are grateful to the member of the media who brought this to the state's attention," was the proposed quote attributed to the state's education commissioner before Parson began shooting the messenger.

The Missouri Highway Patrol report includes an interview with Mallory McGowin, the chief communications officer for the state's Department of Elementary and Secondary Education (DESE). McGowin told police the website weakness actually exposed 576,000 teacher Social Security numbers, and the data would have been publicly exposed for a decade. McGowin also said the DESE's website was developed and maintained by the Office of Administration's Information Technology Services Division (ITSD) -- which the governor's office controls directly. "I asked Mrs. McGowin if I was correct in saying the website was for DESE but it was maintained by ITSD, and she indicated that was correct," the Highway Patrol investigator wrote. "I asked her if the ITSD was within the Office of Administration, or if DESE had their on-information technology section, and she indicated it was within the Office of Administration. She stated in 2009, policy was changed to move all information technology services to the Office of Administration." The report was a vindication for Renaud and for University of Missouri-St. Louis professor Shaji Khan, who helped the Post-Dispatch verify that the security flaw existed. Khan was also a target of Parson's vow to prosecute "the hackers." Khan's attorney Elad Gross told the publication his client was not being charged, and that "state officials committed all of the wrongdoing here."

"They failed to follow basic security procedures for years, failed to protect teachers' Social Security numbers, and failed to take responsibility, instead choosing to instigate a baseless investigation into two Missourians who did the right thing and reported the problem," Gross told The Post-Dispatch. "We thank the Missouri State Highway Patrol and the Cole County Prosecutor's Office for their diligent work on a case that never should have been sent to them."

Casablanca ref

[Tablizer]

"Here's your winning's, Sir..."

What nin-com-poop

[RitchCraft]

... this governor is. Moronic.

Re:

[Narcocide]

He's a Satanist, actually. He didn't do this out of blind stupidity. It was feigned stupidity and he merely overshot.

Re:What nin-com-poop

[Moryath]

It's typical Mike "Crook" Parson. His threats were a desperate attempt to throw blame because he knew his administration was incompetent. DARVO is a well known pattern of republicans. [uoregon.edu]

Re:

[CaptainLugnuts]

Now his overt hostility makes sense.

Time for an apology and take responsibility?

[splutty]

HAHAHAHAHA.

I crack myself up sometimes.

That's never going to happen.

Time for the same treatment they wanted to give

[Sebby]

Time for an apology and take responsibility?

More like time for the same treatment they wanted to dish out: bring charges for exposing private data due to insecure website.

If they'd exist, I'd also add charges for stupidity & incompetence against the governor for wasting taxpayers' money on illegitimate prosecution of the journalist and researchers.

Re:

[Monoman]

The governor's level of arrogance deserves some "The buck stops here" justice. He should see himself out the door.

We know they won't press any charges against him but perhaps a civil suit would be in order.... doubtful.

Re:

[lilTimmy]

Yeah, this dude kept doubling and tripling down. Rather than slink off into the shadows and try to downplay things he just made a huge deal about it when it was sheer incompetence that started everything.

Re:

[Narcocide]

You forgot libel. He knowingly misrepresented their expertise relative to his own, and it did have a negative impact on their public reputations.

Re:

[nightflameauto]

More like time for the same treatment they wanted to dish out: bring charges for exposing private data due to insecure website.

If they'd exist, I'd also add charges for stupidity & incompetence against the governor for wasting taxpayers' money on illegitimate prosecution of the journalist and researchers.

If I were in his state, I'd be satisfied if the money wasted on the investigation and attempted prosecution came out of the governor's pay check. We really need some form of liability built into our government for elected officials aside from the two year, four year check that does fuck-all because 95% of the electorate are too busy screaming "GO TEAM!" to really think about their choices. Make the suckers pay when they fuck up this badly.

Re:

[anonymouscoward52236]

A random Missouri staff member will become the patsy and taken outside to be beaten.

Re:Time for an apology and take responsibility?

[ArchieBunker]

Nope, he's going to triple down and blame antifa.

I have never once seen Missouri mentioned on /.

[rsilvergun]

And how to be anything bordering on positive. Seriously when I saw the headline and read the first word I rolled my eyes and thought, what have they done now?...

Now we know why they were threatening to prosecute. Like a cat burying its turd they were trying to cover up what they themselves did. You would think the voters would stop voting them in office but then you got to understand that if you're in a neighborhood that's unlikely to vote for these guys you're going to be waiting five or six hours to vote.

Re:

[Darinbob]

Remember, the state name's original pronunciation was "misery".

Re:I have never once seen Missouri mentioned on /.

[taustin]

You would think the voters would stop voting them in office but then

I lived in Missouri in my high school years. You might think that, but I wouldn't. Missouri is what happens when too many generations marry first cousins. Or farm animals. It's a great place to be from, and the farther from, the better.

Re:

[drinkypoo]

Pretty crazy how Missouri is full of uneducated shitheels while its primary industry is high-tech manufacturing.

That's because the rest of the state

[rsilvergun]

is a blasted out hell hole, so that manufacturing is the only thing generating any income for anyone. I'm guessing they don't pay much attention to what those industries pump into the water either, which always helps.

This isn't to say the rest of America doesn't have it's share of problems, but the deep south is uniquely screwed by Southern Strategy politics that cause voters to throw in with the worst kind of scum out of misplaced fear.

Re:

[taustin]

Missouri isn't the deep south. It's more the shallow south. As in, "shallow end of the gene pool" shallow.

Ungrateful and arrogant

[sentiblue]

The governor has absolutely no technical knowledge is forgivable. But to go on public records trying to prosecute a journalist who has done everything by the book (waiting for vulnerability to be fixed before announcing in public) is beyond stupidity and arrogance. There's supposed to be a whole bunch of advisers at the Governor's office and it's their job to tell the governor that the journalist has done the state a favor. This is similar to the Starbucks CEO who wanted to prosecute a security researcher for exposing the fact that the Starbucks mobile app at that time stored user password in plaintext.

Re:

[iroll]

I would be 100% SURPRISED if the whole bunch of advisors didn't advise the Governor to do exactly what he did, because there will be zero fallout. Never apologize - immediately attack. Thanks to culture war society, everybody is getting what they wanted: the Governor got to blow hard about hackers to his people (who will never read, much less believe, the turnabout) and the tech community got its vindication and moment of indignation on slashdot. The end.

Typical Two Tier U.S. "Justice" system

[Maxo-Texas]

One law for the normal people.
Another law for the wealthy and powerful.

Re:

[Rockoon]

I'm just wondering at what point do we stop using the guillotines.

There are some safe people to start with, but when will we know that we've gone too far?

Certainly seems like going too far is a common trait. This story is about a governor going too far.

You would think the people racing towards guillotines wouldnt be so sure that they arent on the list.

Now time to find then next scapegoat

[misnohmer]

Ok, now that the governor cannot blame it on a reporter, and surely he cannot be responsible for anyone reporting to him, time to find the guilty person. Perhaps the custodian who cleans the offices of the Office of Administration accidentally threw away the "basic security procedures" manual...

Ah, the joy of using SSN as a primary key...

[oome]

...a never ending source of blamestorming!

Probably the same people

[Bitbeard]

What's appalling is there's that many people without even a rudimentary understanding of the technology they're using every day.

Probably the same people who complain their GPS doesn't work underground.