Getty Gov. Mike Parson listens to a media question during a press conference.
Gov. Mike Parson of Missouri announced that an individual stole Social Security numbers after they “decoded the HTML source code.” However, a local media publication is disputing this claim and saying the individual was their own reporter who warned Parson’s administration about the security flaw and let them fix it before reporting about it. The word “SSNs” began trending on Twitter after Parson’s announcement, as people pointed out that if the Social Security numbers were in the source code, that meant they were easily viewable by just hitting F12.
Parson Said a ‘Hacker’ Had ‘Decoded the HTML Source Code’ Through a ‘Multi-Step Process’
Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.
We notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit will investigate.
In a series of tweets following a press conference, Parson announced that an individual decoded the HTML source code and took the Social Security numbers of three teachers. He said the Cole County prosecutor and Highway Patrol’s Digital Forensic Unit would investigate the “serious” matter. He referred to the individual as a “hacker.”
He wrote on Twitter, in a series of tweets:
Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators. We notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit will investigate.
Upon receiving this notice, DESE immediately contacted the Missouri Office of Administration ITSD, who programs and maintains the web application, to remove public access to the portal and update the code.
This matter is serious. The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so — in accordance with what Missouri law allows AND requires.
A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code.
Under Missouri law, a person commits the offense of tampering with computer data if he or she knowingly and without authorization accesses, takes, and examines personal information without permission. This data was not freely available and had to be converted and decoded.
The state does not take this matter lightly and we are working to strengthen our security to prevent this incident from happening again. The state is owning its part, and we are addressing areas in which we need to do better than we have done before.
We will not rest until we clearly understand the intentions of this individual and why they were targeting Missouri teachers.
People on Twitter Responded by Pointing Out That HTML Source Code Is Easily Viewable
On Twitter, “SSNs” began trending as people pointed out that they believed the real issue was leaving Social Security numbers viewable within the HTML source code. They pointed out that viewing HTML source code is a simple matter that often involves simply hitting F12.
Here’s another example of someone responding with an F12 reference.
One person wrote, “If Social Security numbers were in a website’s HTML then the wrongdoing here is not by the person who discovered it.”
Another person replied, “That’s literally plaintext.”
One person wrote: “‘decoded the HTML code’ is a weird way to say “opened the webpage after we made it publicly available.”
@GovParsonMO “decoded the HTML code” is a weird way to say “opened the webpage after we made it publicly available”
A Local Media Source Says They Are the Ones Who Alerted Parson About the Security Flaw
Josh Renaud of St. Louis Post-Dispatch reported that the government’s website had left the Social Security numbers of school teachers, administrators, and counselors in Missouri exposed and vulnerable.
The report noted that the Post-Dispatch had been the one to discover the security flaw and allowed the government to fix the issue before they reported on it. More than 100,000 Social Security numbers had been exposed. They reported that the numbers weren’t clearly visible, but could easily be found by simply reading the HTML source code on the webpages involved.
Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis, told the Post-Dispatch that this was a major issue.
Khan said, “The fact that this type of vulnerability is still present in the DESE web application is mind boggling!”
The Post-Dispatch reported that the state’s Department of Elementary and Secondary Education (DESE) later blamed the Post-Dispatch for the issue. Education Commissioner Margie Vandeven wrote in a letter to teachers: “an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.”
However, the Post-Dispatch disputed this characterization, noting that they simply confirmed the vulnerability with three educators before warning the department about the security flaw. The DESE press release referred to the individual as a hacker, but that person was actually a reporter who found the vulnerability and then warned the government about it, the Post-Dispatch reported.
Post-Dispatch attorney Joseph Martineau said:
The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse. A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.
The Post-Dispatch later reported that Parson said the news outlet itself was going to be held responsible. The Post-Dispatch reported that Parson said the individual who told DESE about the flaw wanted to “embarrass the state and sell headlines for their news outlet.”
Khan told the Post-Dispatch that the confidential information was encoded by not encrypted.
READ NEXT: Hallmark’s Christmas 2021 Lineup of Movies