Cybersecurity expert demands apology from Missouri governor over hacking claims
University of Missouri-St. Louis professor Shaji Khan helped the St. Louis Post-Dispatch report data breach on state system
Shaji Khan, associate professor of information technology at the University of Missouri–St. Louis (photo by August Jennewein/UMSL campus photographer).
A cybersecurity expert targeted for investigation by Missouri Gov. Mike Parson is demanding a public apology and payment for his costs for legal help and damage to his reputation.
Shaji Khan, an associate professor at University of Missouri-St. Louis and director of its Cybersecurity Institute, made the demand in a letter sent Thursday by attorney Elad Gross to Parson’s office, several state and local agencies and a political committee that supports Parson.
The letter demands that the “Missouri Office of Administration, the Missouri Department of Elementary and Secondary Education, Gov. Mike Parson, Commissioner Margie Vandeven, and Uniting Missouri PAC release separate, detailed and public statements apologizing to Professor Khan, to be shared on their respective websites, with Missouri and national press outlets, on social media sites, and to anyone the parties communicated their false accusations.”
Khan was a source used by the St. Louis Post-Dispatch for a story about how a Department of Elementary and Secondary Education website allowed access to the Social Security numbers of educators. The letter states that he helped the newspaper after it agreed to withhold any story about the security issue until it had been addressed and teacher Social Security numbers were no longer at risk of public exposure.
“Professor Khan is a respected expert in his field who has repeatedly performed valuable services for the state of Missouri and its residents,” Gross wrote. “The state, its officials and their political operations have no grounds to defame and harass a private citizen who helped protect Missouri teachers.”
The letter is a “litigation hold request and demand,” sent by attorneys to potential targets of a lawsuit to alert them to preserve their records or face sanctions in court.
On the day the Post-Dispatch’s story was published, Parson called reporters to his office to read a statement accusing the reporter and those who helped verify what was found of being hackers who should be criminally prosecuted. He did not take any questions.
“This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians,” Parson said.
In the Thursday letter, Gross demanded that “Gov. Mike Parson convenes and livestreams another press conference to apologize to Professor Khan, sharing and maintaining the video on the governor’s social media pages.”
Parson’s office did not respond to a request for comment on the letter.
In his statement last week, Parson directed the Missouri State Highway Patrol to investigate and said he had notified Cole County Prosecuting Attorney Locke Thompson.
Last Friday, Khan got a call from the patrol, the letter states.
“The trooper confirmed that the interview regarded statements Professor Khan had made to the St. Louis Post-Dispatch,” Gross wrote.
Gross told The Independent that Khan called him and the interview has not yet taken place.
“The interview will be happening,” he said. “We are cooperating and it looks like it will happen on Monday.”
Asked for information about the status of the investigation, patrol spokesman Lt. Eric Brown wrote that it is ongoing and could not comment further.
Thompson told The Independent earlier this week that the timeline for the inquiry is in the hands of the patrol.
Parson’s call for prosecution of the reporter and others involved in the story was met with bipartisan criticism.
“Journalists responsibly sounding an alarm on data privacy is not criminal hacking,” tweeted state Rep. Tony Lovasco, a Republican who has worked in software development, tweeted. House Democratic Leader Crystal Quade of Springfield said the problem is poor security on state websites, not journalists who identify a weakness.
The Social Security numbers were available through a publicly accessible website designed to allow users to check the credentials of educators. The website is currently disabled.
To verify that the numbers were being used in a way that made them available to anyone who visited the site, Gross wrote, Khan took three standard steps for checking security after he reached the webpage. It did not require a log-in to search the database of credentialed educators.
Khan viewed the source code and identified “a suspicious piece” of the code. He copied it to a text document, revealing the Social Security number of the individual found in the search.
“This entire process could be completed by anyone in a matter of just a few minutes,” Gross wrote. “None of the data was encrypted, no passwords were required, and no steps were taken by the state of Missouri to protect the Social Security numbers of its teachers that the state automatically sent to every website visitor.”
Uniting Missouri, a political action committee that backs Parson’s agenda, on Wednesday pushed back against criticism of Parson’s demand for prosecution. The PAC produced a video attacking the Post-Dispatch and stating Parson is “committed to bring to justice anyone who obtained private information.”
Gross’ letter states that Uniting Missouri has purchased two blocks of advertising on Facebook to promote the ad, targeting as many as 15,000 Missourians. He is demanding the PAC produce “another video apologizing to Professor Khan and purchases advertisements to promote that video as the organization is currently doing with its defamatory and false video.”
John Hancock, chairman of Uniting Missouri, declined to comment on the letter.
Along with Parson’s office, Uniting Missouri and the education department, the letter was sent to the Office of Administration, Thompson, the patrol, Attorney General Eric Schmitt and Victory Enterprises, which manages the Uniting Missouri Facebook account.
Along with the demands for an apology, the letter includes a legal analysis that accuses the education department of violating a law barring agencies from disclosing Social Security numbers of people in public databases.
The law against hacking that Parson cited as a basis for prosecution requires intent to steal the information and does not make it a crime to report a data security issue, Gross wrote.
“The government’s threat of prosecution would have a chilling effect on people of ordinary firmness and has had such an effect on Professor Khan,” Gross wrote. “Professor Khan has already had to suspend his normal interactions with members of the press. Additionally, the government’s retaliatory actions will deter other Missourians from assisting the state when they uncover wrongdoing.”
Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site. Please see our republishing guidelines for use of photos and graphics.