The investigation of a Missouri News organization is done; the investigation, conducted by the Missouri State Highway Patrol started following revelations of a journalist revealing a flaw in a state database.
According to an OzarksFirst report, on Monday Patrol Capt. John Hotz informed the St. Louis Post-Dispatch “that results of the investigation were turned over to Cole County Prosecuting Attorney Locke Thompson.” Additionally, the article states that it is unclear if charges will be filed, and it notes that Missouri Governor Mike Parson “announced the investigation in October after a Post-Dispatch reporter informed the state of a significant data issue that left Social Security numbers of educators vulnerable to public disclosure.” The article also states that the Post-Dispatch “held off publishing a story about the flaw until the state fixed it” and that a “state news release called the journalist a hacker.”
Ozarks DynaCom’s News Department contacted Parson’s office for comments from his communications team or himself; Communications Director Kelli Jones responded. Jones did not comment on the completed investigation, but instead she provided details on the incident and why the journalist was called a hacker. “Through a multi-step process, an individual admitted to taking the records of at least three educators, decoded the HTML source code, viewed the SSN of those specific educators, and shared findings. Upon receiving this notice, DESE [the Missouri Department of Elementary and Secondary Education] immediately contacted the Missouri Office of Administration ITSD, who programs and maintains the web application, to remove public access to the portal and update the code. This matter is serious. The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged him to do so in accordance with what Missouri law allows and requires.”
Jones said a hacker is someone “who gains unauthorized access to information or content” and that the “individual did not have permission to do what he did.” “He had no authorization to convert, decode the code, and share. Hacking in not journalism,” Jones added.
In her email response, Jones also said that under Missouri law “a person commits the offense of tampering with computer data if he or she knowingly and without authorization accesses, takes, and examines personal information without permission.” She said this is according to Section 569.095, RSMo. “This data was not freely available and had to be converted and decoded.”
“The state does not take this matter lightly, and we are working to strengthen our security to prevent this incident from happening again. The state is owning its part, and we are addressing areas in which we need to do better than we have done before. We will not rest until we clearly understand the intentions of this individual and why he was targeting Missouri teachers.” Follow up questions were sent to Jones.
Jones said she could not comment on what the journalist’s employer has said but that “its President has made comment in some articles.” She said the journalist did hack the system. Ozarks DynaCom’s News Department contacted St. Louis Post-Dispatch’s Director of Public Relations Tracy Rouch. “At this time, we cannot comment on the findings as they have not been released. As for why our journalist was called a hacker in the state release, you would have to ask them for comment. All our comments have appeared in our stories from our President and Publisher Ian Caso, which you are free to use.” Rouch said.
Their Dec. 28 article is available online along with their prior articles. The Dec. 28 article states that according to records “obtained by the newspaper through an open records request, Margie Vandeven, state education commissioner, initially planned on thanking the Post-Dispatch for uncovering the state’s data problem,” but instead Missouri issued a press release calling the reporter a “hacker.” Rouch provided comments from story updates; two comments are from Caso while one is from St. Louis Post-Dispatch Attorney Joe Martineau from Lewis Rice LLC.
“We’re pleased to see the support and interest generated from this story. It highlights the valuable work of our journalists. I’m grateful our reporter, Josh Renaud was able to uncover the problem and share it with the appropriate state officials. I think he should be commended for his work and sense of duty. We are surprised and disappointed at the governor’s response and deflection,” Caso said in an article from Oct. 15. In the other quote from Caso in a story from Dec. 2, he said these “documents show there was no network intrusion. As DESE [the Missouri Department of Elementary and Secondary Education] initially acknowledged, the reporter should have been thanked for the responsible way he handled the matter and not chastised or investigated as a hacker.”
“The reporter did the responsible thing by reporting his findings to the Department of Elementary and Secondary Education (DESE) so that the state could act to prevent disclosure and misuse. A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring to this as “hacking” is unfounded. Thankfully, these failures were discovered,” Martineau said. Ozarks DynaCom’s News Department contacted Hotz from highway patrol's Public Information and Education Division. Hotz said that the investigation was not of the Post-Dispatch but the incident; he said he could not make additional comments outside of what he has previously said.