JEFFERSON CITY, Mo. (KMOV.com) -- Missouri Governor Mike Parson addressed the public Thursday morning after the St. Louis Post-Dispatch published an article claiming more than 100,000 Missouri teachers' Social Security numbers were at risk of being accessed.
The Post-Dispatch discovered teachers' Social Security numbers appeared in the HTML source code on some pages of the Department of Elementary and Secondary Education's website. The newspaper contacted the department and allowed it time to fix the issue before publishing the article Wednesday night.
Gov. Parson blasted the Post-Dispatch in his Thursday press conference, saying the report was a politically-motivated attack and illegal.
But the Missouri Department of Elementary and Secondary Education has called the reporter who discovered the vulnerability a "hacker."
"They were acting against the state agency to compromise teachers' personal information in an attempt to embarrass the state and sell headlines," Parson claimed during a Facebook Live video.
Parson went as far as calling it a crime and claiming the investigation into the matter could cost Missouri taxpayers up to $50 million. The Post-Dispatch outlined in its report that it wasn't clear if anyone had actually exploited the website's flaw but that the information was there.
"The reporter did the responsible thing by reporting his findings to the Department of Elementary and Secondary Education so that the state could act to prevent disclosure and misuse," St. Louis Post-Dispatch Attorney Joe Martineau said. "A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring to this as 'hacking' is unfounded. Thankfully, these failures were discovered."
News 4 spoke with Scott Granneman, an adjunct professor at Webster University who teaches about internet security.
"The short of it is, somebody at the Department of Education screwed up, badly," he said.
Granneman said it's not plausible that the reporter would be able to hack into a state database.
The Post-Dispatch report on the vulnerability said the Social Security numbers were embedded in the source code of the web page. Source code of any website is publicly accessible by tapping control-u on a keyboard.
"If Social Security numbers were found in source code, somebody at the Department of Education doesn't know what they're doing or completely screwed up. Because that should never happen. Anyone who is a competent administrator would never let passwords, sensitive data, like Social Security numbers, etcetera, go into the source code," Granneman said.
Parson said he was calling in the Missouri State Highway Patrol's digital forensic unit to investigate and referring the matter to the Cole County prosecutor's office.
The governor left immediately after the press conference and did not respond to reporters' questions.
After the press conference, Missouri State Rep. Tony Lovasco tweeted, "It's clear the Governor's office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities. Journalists responsibly sounding an alarm on data privacy is not criminal hacking."