When a St. Louis Post-Dispatch journalist discovered that the Missouri state teachers website allowed anyone to see the Social Security numbers of some 100,000 school employees, he did what any reporter might do. He published a story about the security vulnerability — though not before warning the state and giving it time to remove the affected webpages.

Another official might have thanked the newspaper for spotting the flaw and giving a heads-up before publicizing it — or at least downplayed what appears to be an embarrassing government mishap. But Missouri Gov. Mike Parson (R) did the opposite: He called the journalist “a hacker” who may face civil or criminal charges for “decod[ing]” HTML code on the Department of Elementary and Secondary Education website and viewing three Social Security numbers.

The journalist was “acting against the state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet,” Parson announced Thursday. He said that he had referred the case to the Cole County prosecutor and the Missouri State Highway Patrol’s Digital Forensic Unit.

The announcement immediately drew appalled reactions from The Post-Dispatch and other journalistic organizations.

“We stand by our reporting and our reporter who did everything right,” Ian Caso, president and publisher of The Post-Dispatch, said in a statement. “It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to DESE’s attention.”

Committee to Protect Journalists’ U.S. and Canada program coordinator Katherine Jacobsen called Parson’s legal threats “absurd.”

“Using journalists as political scapegoats by casting routine research as ‘hacking’ is a poor attempt to divert public attention from the government’s own security failing,” she told The Washington Post in an email.

Josh Renaud, The Post-Dispatch journalist who wrote the story, did not return The Washington Post’s inquiry.

According his article, which first published Wednesday, he discovered the vulnerability on a public database that allows anyone to look up teacher credentials.

The employees’ Social Security numbers were not searchable in the database or immediately visible upon opening the page, the article reads, but they could be seen in the HTML source code, which is easily viewable on most websites. (If you are reading this article on a standard Web browser, you can probably see its HTML code by right clicking and selecting “view page source,” or a similar option.)

With the help of three educators and a cybersecurity expert, the journalist confirmed that the figures were indeed Social Security numbers and informed the state about the problem, The Post-Dispatch reported.

In his address Thursday, Parson made the simple procedure sound nefarious. He said The Post-Dispatch journalist undertook a “multistep process” to take “the records of at least three educators, decoded the HTML source code, and viewed the Social Security number of those specific educators.”

This, Parson said, was unlawful. He took no questions from reporters.

Parson spokeswoman Kelli Jones would not comment on the pushback, citing the ongoing criminal investigation. But she said via email on Friday that “the hack was more than just a click of a mouse or a ‘right click,’" and that “by the actor’s own admission, the data had to be taken through eight separate steps to generate a [Social Security number].”

The governor’s office highlighted a Missouri law against “tampering with computer data,” a misdemeanor carrying a penalty of up to a year in jail and up to a $2,000 fine — unless the person violated the law to obtain $750 or more, in which case it’s a felony. Another Missouri code allows a lawsuit for damages.

Post-Dispatch spokeswoman Tracy Rouch declined to provide more information on the specifics of their reporting, citing the ongoing investigation by the Missouri State Highway Patrol. “We believe no basis exists to justify any investigation and that our reporter and this news organization acted properly in all respects.”

Post-Dispatch attorney Joe Martineau said in a statement the state agency was deflecting “its failure by referring this to as ‘hacking.’ ”

“The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse,” Martineau said. “A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent.”

Parker Higgins, advocacy director at the Freedom of the Press Foundation, said “whether expressly or intentionally, this is an effort to intimidate a reporter who is doing important reporting and uncovering a newsworthy story.”

Higgins also said it’s the latest example of a long-standing problem in which researchers are attacked after discovering security flaws and alerting the website owners to create a safer online environment. “That’s a bad way to do security. You do want this kind of disclosure handled and the person not feel they should do something else with it, like monetize it.”

“If you start calling that hacking, it really is criminalizing a whole swath of behavior and not just among reporters, but also concerned citizens,” Higgins added.

Parsons said “this incident alone may cost Missouri taxpayers up to $50 million” and that the state was taking steps to address the security vulnerability.

His address was streamed on Facebook. Below the video, several commenters jokingly offered the governor a little tech support — pointing out that anyone could “hack” any website with the click of a menu.

Republican state representative Tony Lovasco, who according to The Post-Dispatch has an IT background and codes for a hobby, chimed in, too. He tweeted that Parson’s office “has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities.”

“Journalists responsibly sounding an alarm on data privacy is not criminal hacking,” he wrote.

This story, originally published Oct. 14, has been updated to include comments from Parson’s spokeswoman.

Read more: