Missouri state government officials planned to publicly thank a journalist who discovered a security flaw until a drastic change in strategy resulted in the governor labeling the journalist a “hacker,” while threatening both a lawsuit and prosecution.
As we wrote on October 14, St. Louis Post-Dispatch reporter Josh Renaud identified a security flaw that exposed the Social Security numbers of teachers and other school employees in unencrypted form in the HTML source code of a publicly accessible website. Renaud and the Post-Dispatch handled the problem the way responsible security researchers do—by notifying the state of the security flaw and keeping it secret until after it was fixed.
Despite that, Missouri Gov. Mike Parson called Renaud a “hacker” and said the newspaper’s reporting was nothing more than a “political vendetta” and “an attempt to embarrass the state and sell headlines for their news outlet.” The Republican governor said further that his “administration has notified the Cole County prosecutor of this matter,” that the Missouri State Highway Patrol’s Digital Forensic Unit would investigate “all of those involved,” and that state law “allows us to bring a civil suit to recover damages against all those involved.”