JEFFERSON CITY — A police investigation released Monday shows a flaw in a Missouri Department of Elementary-Secondary Education webpage had been in place since 2011 and no one noticed the flaw until a reporter of Post-Dispatch reports the weakness.
The 158-page report also showed that journalist Josh Renaud did not access “anything that was not publicly available, or where it should not have been,” according to a Missouri Highway interview. Patrol with DESE spokesperson Mallory McGowin.
“She said that Josh Renaud appears to have only accessed open public data,” the report notes.
The report was released more than a week after Cole County District Attorney Locke Thompson announced he would not charge Renaud in the investigation.
Thompson’s decision came nearly seven weeks after his office received the report from the Missouri Highway Patrol, which was tasked with the investigation by Gov. Mike Parson in October.
People also read…
Parson had suggested that prosecution was imminent throughout the investigation.
But, according to the report, McGowin said a vulnerability that left 576,000 teachers’ Social Security numbers exposed “would have been there since 2011, when the app was implemented.”
“I asked her if this had been brought up before, and she said no in the two years she had worked at DESE. She said employees who had worked at DESE since 2011 said the same thing,” the police report notes.
McGowin told police when the website went live in 2011 the practice Renaud exhibited would have been acceptable.
“She said that since then, this process is no longer considered a ‘best practice,'” the report said.
Additionally, McGowin said the database — like other state IT departments — is actually overseen by Parson’s administration office, which the governor controls.
Highway Patrol said it spent about 175 hours on the investigation. Three officers participated in the investigation. No cost estimate was provided.
Investigators also spoke with cybersecurity expert Shaji Khan, who had verified for the Post-Dispatch that the flaw existed.
Khan, who teaches at the University of Missouri-St. Louis, said he was alarmed by the information he had received about the vulnerability.
“He (Khan) said that by the time he was done looking, he realized how serious the situation was and advised that the state should be notified immediately,” the report noted.
Khan’s lawyer, Elad Gross, said last week that Thompson would not charge Khan either.
In a statement Monday, Gross said the report “makes it clear that state officials committed all wrongdoings here.”
“They failed to follow basic safety procedures for years, failed to protect teachers’ social security numbers, and failed to take responsibility, choosing instead to open a baseless investigation into two Missourians. who did the right thing and reported the issue,” Gross said.
“We thank the Missouri State Highway Patrol and the Cole County District Attorney’s Office for their diligent work on a case that should never have been sent to them,” Gross said.
Parson launched the investigation after the Post-Dispatch reported Oct. 13 that more than 100,000 social security numbers of educators in Missouri were vulnerable. Renaud discovered that teachers’ social security numbers were accessible in the HTML source code of some publicly available DESE web pages.
The newspaper notified DESE of the flaw and delayed publication until the department could take steps to protect the privacy of individuals in the database.
While DESE originally planned to thank the Post-Dispatch for finding the loophole, Parson instead held a press conference at which he alleged Renaud had “hacked into” the state’s computer system.
The governor cited a state law that says a person tampers with computer data if they “without authorization or without reasonable grounds to believe they have such authorization” access a computer system and “intentionally examine information on another person”.
Emails later obtained by the Post-Dispatch revealed that the FBI had told state cybersecurity officials that there was “no actual network intrusion” and that the base of state data was “misconfigured”.
Records showed Angie Robinson, a cybersecurity specialist for the state, emailed Department of Public Safety Director Sandra Karsten to inform her that she had forwarded emails from the Post-Dispatch to the FBI’s Kyle Storm in St. Louis. Robinson said the FBI agent indicated there was no “network intrusion.”
The emails also revealed the proposed message when Education Department officials prepared to respond in October:
“We are grateful to the member of the media who brought this to the attention of the state” was the proposed quote attributed to Education Commissioner Margie Vandeven.
Instead, the state eventually described Renaud as a “hacker.”
A Post-Dispatch reporter alerted the state to security breaches on a teacher certification website, and the state responded by threatening crimin…