10/15/2021 by Alisa Nelson of MissouriNet
Gov. Mike Parson and a fellow Republican lawmaker do not see eye to eye on the way a state web application flaw is being handled.
During a press conference this week, Parson has threatened criminal prosecution after he says a news organization took several steps to discover a vulnerability in a Missouri Department of Elementary and Secondary Education Department web application. The flaw had the ability to show the social security numbers of educators, putting the private information of nearly 100,000 teachers at risk.
The St. Louis Post-Dispatch says it notified the state of the flaw first and gave the agency time to remove the online details.According to Parson, the St. Louis Post-Dispatch did not have permission to do what it did. He says the newspaper was “acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines.”
Representative Tony Lovasco, R-O’Fallon, tells Missourinet the newspaper was not trying to maliciously break into a system. Lovasco has worked in the IT business for about 20 years.
“Looking at the source code and even going through and decoding, as they say, some information that is otherwise open in the clear to anyone who has a web browser – that’s not at all the same as someone who is attempting to actually enter the network without authorization,” says Lovasco. “Regardless of what the law actually says, I think just decency says we should not be prosecuting someone who very clearly did not have malicious intent. I definitely think that the General Assembly ought to look at making the statute a little bit more clear as to how we handle whistleblowers in these types of situations. But I would just say the proper thing to do is to thank the guy for his service, fix the situation and move on.”
“There’s a cliche we hear a lot a lot in government that, you know if you see something, say something. This gentleman saw something. He said something. Now, he’s getting threats. I don’t think that’s how it’s supposed to work,” Lovasco says.He says he does not think Parson’s threat is going to encourage people to come forward when future state data security problems are found.
Lovasco says the Legislature should consider clarifying law when handling whistleblowers during these situations.
The issue has given some critics of K-12 Education Commissioner Margie Vandeven ammunition to once again blast her, especially those from the school choice and anti-critical race theory crowds. School choice legislation and restrictions on racial history education are made by the Legislature – not the Missouri Education Department. DESE spokeswoman Mallory McGowin tells Missourinet Dr. Vandeven has no plans to resign.
The application containing the weakness is maintained within the Missouri Office of Administration