JEFFERSON CITY, Mo. — A police investigation released Monday shows that a flaw in a Missouri Department of Elementary and Secondary Education webpage had been in place since 2011 and that no one had noticed the flaw until a St. Louis Post-Dispatch journalist pointed out the weakness.
The 158-page report also showed that reporter Josh Renaud hadn’t accessed “anything that was not publicly available, nor was he in a place he should not have been,” according to a Missouri Highway Patrol interview with state education department spokeswoman Mallory McGowin.
“She said Josh Renaud appears to have only accessed open public data,” the report notes.
The report was released more than a week after Cole County Prosecuting Attorney Locke Thompson announced he would not be charging Renaud in connection with the investigation.
Thompson’s decision was reached almost seven weeks after his office received the report from the Missouri Highway Patrol, which had been tasked with the probe by Gov. Mike Parson in October.
Parson had suggested prosecution was imminent throughout the probe.
But, according to the report, McGowin said a vulnerability that left 576,000 teacher Social Security numbers exposed "would have been there since 2011, when the application was implemented."
“I asked her if this had ever been brought up before, and she stated not in the two years she had worked at DESE. She stated employees who have worked at DESE since 2011 have said the same thing,” the police report notes.
McGowin told police when the website was brought online in 2011, the practice exposed by Renaud would have been OK.
“She stated since then, that process is no longer considered 'best practice,’” the report said.
Further, McGowin said the database — like other state computer services — is actually overseen by Parson's Office of Administration, which the governor controls.
The highway patrol said it spent about 175 hours on the investigation. Three officers assisted in the probe. No cost estimate was provided.
The investigators also talked with cybersecurity expert Shaji Khan, who had verified for the Post-Dispatch that the flaw existed.
Khan, who teaches at the University of Missouri-St. Louis, said he was alarmed by the information he’d received about the vulnerability.
“He (Khan) stated by the time he was done looking, he realized how bad the situation was and indicated the state needed to be notified immediately,” the report notes.
Khan's attorney, Elad Gross, said last week that Thompson would not be charging Khan either.
In a statement Monday, Gross said the report "clearly shows that state officials committed all of the wrongdoing here."
"They failed to follow basic security procedures for years, failed to protect teachers' Social Security numbers, and failed to take responsibility, instead choosing to instigate a baseless investigation into two Missourians who did the right thing and reported the problem," Gross said.
"We thank the Missouri State Highway Patrol and the Cole County Prosecutor's Office for their diligent work on a case that never should have been sent to them," Gross said.
Parson launched the investigation after the Post-Dispatch reported Oct. 13 that more than 100,000 Social Security numbers of Missouri educators had been vulnerable. Renaud found teachers’ Social Security numbers were accessible in the HTML source code of some publicly available DESE webpages.
The newspaper informed DESE of the flaw and delayed publication until the department could take action to protect the privacy of individuals in the database.
While DESE had initially planned to thank the Post-Dispatch for finding the flaw, Parson instead held a news conference during which he alleged Renaud had been “hacking” the state’s computer system.
The governor cited a state statute that says someone tampers with computer data if he or she “without authorization or without reasonable grounds to believe that he has such authorization” accesses a computer system and “intentionally examines information about another person.”
Emails later obtained by the Post-Dispatch found that the FBI told state cybersecurity officials that there was “not an actual network intrusion” and the state database was “misconfigured.”
The records showed that Angie Robinson, cybersecurity specialist for the state, had emailed Department of Public Safety Director Sandra Karsten to inform her that she had forwarded emails from the Post-Dispatch to Kyle Storm with the FBI in St. Louis. Robinson said the FBI agent indicated there was no “network intrusion.”
The emails also revealed the proposed message when education department leaders prepared to respond in October:
“We are grateful to the member of the media who brought this to the state’s attention” was the proposed quote attributed to Education Commissioner Margie Vandeven.
Instead, the state eventually described Renaud as a “hacker.”
———
