Missouri will not prosecute ‘hacker’ reporter for daring to view state website HTML

The State of Missouri will not prosecute a journalist branded a “hacker” for viewing website source code and reporting a serious security leak. 

In October 2021, St. Louis Post-Dispatch reporter Josh Renaud published a story documenting the exposure of Social Security numbers belonging to teachers, administrators, and counselors caused by security flaws in the Missouri Department of Elementary and Secondary Education’s website. 

Over 100,000 SSNs were reportedly exposed. 

Renaud discovered the issue in a search function on the website and all it took to find SSNs was to press F12 and view the website’s HTML through the developer console. 

The news outlet did not go ahead with the story until the department took the impacted pages down and remove the search tool. 

St. Louis Post-Dispatch reported the flaw, that allowed anyone with a browser to view this sensitive data, privately to DESE prior to publication. However, Missouri Governor Mike Parson took a dim view of the responsible disclosure. 

On Twitter, Parson alleged that the journalist “took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.”

Parson said:

“This matter is serious. The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so — in accordance with what Missouri law allows AND requires.

A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code.

We will not rest until we clearly understand the intentions of this individual and why they were targeting Missouri teachers.”

Locke Thompson, a Cole County Prosecutor, has declined to press charges. In a statement last week (.PDF), Thompson thanked the governor for his concerns and while “there is an argument to be made that there was a violation of law,” the “issues at the heart of the investigation have been resolved through non-legal means.”

“As such, it is not in the best interest of Cole County citizens to utilize the significant resources and taxpayer dollars that would be necessary to pursue misdemeanor criminal charges in this case,” the prosecutor said. 

The Cole County Prosecutor’s Office will not comment further on the case.

After the threat of prosecution was dissolved, Post-Dispatch Publisher Ian Caso said that the “accusations against our reporter were unfounded and made to deflect embarrassment for the state’s failures and for political purposes.”

Renaud said the decision was a “relief” but does not “repair the harm done to me and my family.”

In an interview with St. Louis on the Air, the journalist added that the governor has missed an opportunity to “change the public discourse” and “to change the way the politics are done in the state.”

Previous and related coverage

• Missouri governor faces backlash and ridicule for threatening reporter who discovered exposed teacher SSNs
  
  
• How the initial access broker market leads to ransomware attacks
  
  
• Squirrelwaffle, Microsoft Exchange Server vulnerabilities exploited for financial fraud

---

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

---