Records: Missouri planned to thank glitch-finding journalist
JEFFERSON CITY, Mo. (AP) — Just before Missouri Gov. Mike Parson condemned a St. Louis Post-Dispatch reporter for exposing a state database flaw, records show the state Department of Elementary and Secondary Education was instead preparing to thank him for finding the glitch.
The Post-Dispatch reported Thursday that it obtained records through a Missouri Sunshine Law request, including an Oct. 12 email to Parson’s office from DESE spokeswoman Mallory McGowin containing proposed statements for a news release.
“We are grateful to the member of the media who brought this to the state’s attention,” read a proposed quote from Education Commissioner Margie Vandeven.
The quote ultimately was not used. Instead the Office of Administration issued a news release the next day calling the Post-Dispatch journalist a “hacker.” Parson, a Republican, said at a news conference on Oct. 14 that a criminal investigation was being launched. That investigation is ongoing.
The reporter discovered a flaw on a DESE website that left more than 100,000 Social Security numbers of educators vulnerable to disclosure. The newspaper waited to publish the report until the state took action to protect the vulnerable information.
The newly obtained records show that on Oct. 13, Angie Robinson, the state’s cybersecurity specialist, emailed Department of Public Safety Director Sandra Karsten to inform her that she had forwarded emails from the Post-Dispatch to Kyle Storm with the FBI in St. Louis.
“Kyle informed me that after reading the emails from the reporter that this incident is not an actual network intrusion,” she said.
Instead, the FBI agent said the state’s database was “misconfigured,” Robinson wrote. “This misconfiguration allowed open source tools to be used to query data that should not be public,” she added.
Parson’s spokeswoman, Kelli Jones, declined to comment on the records information obtained by the Post-Dispatch, citing the ongoing investigation.
“The facts are than an individual accessed source code and then went a step further to convert and decode that data in order to obtain Missouri teachers’ personal information,” Jones said in an email. “This information was not freely available, and there was no authorization given to tamper with computer data.”
Ian Caso, president and publisher of the Post-Dispatch, said in October that the newspaper stood by the story and the reporter, who he said “did everything right.”