Oklahoma Department of Securities Exposes 3TB of Data

From user activity monitoring and data loss prevention to user behavior analytics

The Oklahoma Department of Securities Commission (ODS) disclosed of a huge data leak last week. Many of the files dating back decades included details of FBI investigations, social security numbers, names of AIDS patients, and credentials for remote access to computers.

Researchers at UpGaurd first found, reported, and secured the unsecured storage server leaking the private data. They noticed the publicly accessible server on December 7th and notified ODS on December 8. Researchers found that the IP address was first publicly accessible on November 30th, 2018.

Three terabytes of data were exposed. Leaked files dated back to 1986 with the most recent dating to 2016. Many of the archived files included backups of Microsoft Exchange emails from 1999 to 2016. The largest email backup up to 16GB.

The data leak occurred through an unsecured rsync service with an IP address belonging to the Oklahoma Office of Management and Enterprise Services. Giving way for anyone to download the stored files. The rsync server had accounting, administration, and investigatory directories; as well as virtual machine backups. Many of the leaked files were related to financial and personal data. One Microsoft Access database contained private information on ten thousand brokers. A CSV contained date of birth, state of birth, country of birth, gender, height, weight, hair color, and eye color for a hundred thousand brokers.

According to UpGaurd:

“The website for the Securities Commission has an UpGuard Cyber Risk score 171 out of 950, indicating severe risk of breach. Among the issues lowering the website’s score is the use of the web server IIS 6.0, which reached end of life in July 2015, meaning no updates to address any newly discovered vulnerabilities have been released in the last three and a half years. Of all the sites on the ok.gov domain, securities.ok.gov has the worst risk score.”

Government organizations need to focus on securing private information belonging to both the organization and its people. The website for this organization scored very low score related to their websites score with no updates in the last three and a half years. It is important to consistency update your infrastructure and create backups.

For best practice solutions contact LIFARS for a gap analysis solution for your organization.