Republican Missouri Gov. Mike Parson has become the subject of widespread criticism for accusing a journalist of hacking after the journalist pointed out a data vulnerability on the state government’s website.
On Thursday, a St. Louis Post-Dispatch reporter wrote that over 100,000 educators’ Social Security numbers (SSN) were easily viewable through the HTML source code on a website run by the state’s education department. The reporter notified the government, giving them time to address the vulnerability and scan other government-run websites for similar issues before publishing the story.
Not long after the article was published, Parson accused the reporter of being a “hacker” without evidence and promised to seek criminal prosecution. “This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians,” Parson said at a press conference.
Parson continued to imply that the Post-Dispatch journalist had some sort of ulterior motive, claiming the reporter was “acting against the state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet.” Ironically, his threats to the journalist are bringing far more attention to the story than it would have gotten otherwise.
As many reporters and people familiar with basic computer functions have pointed out, the journalist didn’t participate in anything close to resembling hacking. Rather, he accessed information that is public on every webpage: the source code, which can be accessed easily via the “view source” functionality. By pointing out the flaw in the website, he likely helped avert disaster for the state’s educators’ by protecting their personal information — not vice versa, as Parson erroneously claimed.
This type of data vulnerability is a well-known mistake, a cybersecurity professor at the University of Missouri-St. Louis told the Post-Dispatch. The professor added that it was “mind boggling” to see it still happening on a government website, even though this type of cybersecurity error has been around for at least a decade.
Lawmakers and journalist organizations were dismayed at the governor’s direct attack on a member of the press.
“Let’s make this clear: It was [Governor Parson] who failed to secure teachers’ SSNs. There’s no ‘hacking’ here. There’s an effort to criminalize journalists,” wrote Rep. Cori Bush, a Democrat from Missouri. “Shame on you, Governor.”
“Using journalists as political scapegoats by casting routine research as ‘hacking’ is a poor attempt to divert public attention from the government’s own security failing,” Katherine Jacobsen, the U.S program coordinator at the Committee to Protect Journalists (CPJ) told The Washington Post, adding that Parson’s threats were “absurd.”
Though many people pointed out the simplicity of the data vulnerability to the governor after his threats on Thursday, Parson only doubled down on his statements in tweets later that day. “We want to be clear, this DESE hack was more than a simple ‘right click,’” he lied. “This data was not freely available, and by the actors own admission, the data had to be taken through eight separate steps in order to generate a SSN.”
Parson’s statements are easily debunked; according to the original article, “the newspaper found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved.” Not only is it unclear what “steps” Parson is talking about, the source code of websites is freely available — one can even view it on a smartphone browser.
Though Parson’s motivations are undetermined, the threats are part of disturbing and ongoing attempts by Republicans to discredit the media at large, years after Donald Trump coined the term “fake news.”
“Trump’s most effective ploy has been to destroy the credibility of the press,” CPJ wrote in a 2020 report.
During his presidency, Trump reportedly asked then-Federal Bureau of Investigations Director James Comey to prosecute journalists who reported on leaks. He also repeatedly attacked the media for portraying him in a negative light and embarrassing his administration.
Join us in defending the truth before it’s too late
The future of independent journalism is uncertain, and the consequences of losing it are too grave to ignore. To ensure Truthout remains safe, strong, and free, we need to raise $29,000 in the next 36 hours. Every dollar raised goes directly toward the costs of producing news you can trust.
Please give what you can — because by supporting us with a tax-deductible donation, you’re not just preserving a source of news, you’re helping to safeguard what’s left of our democracy.