Unprotected server of Oklahoma Department of Securities exposes millions of government files

A huge trove of data belonging to the Oklahoma Department of Securities (ODS) was left unsecured on a server for at least a week.

Another data leak made the headlines, a huge trove of data belonging to the Oklahoma Department of Securities (ODS) was left unsecured on a server for at least a week.
It is not clear how long data were left exposed online, according to the Shodan search engine, the server had been publicly open since at least November 30, 2018.

The unsecured storage server was discovered by security expert Greg Pollock from UpGuard, it contained 3 terabytes of data including millions of sensitive Government files and years worth of sensitive FBI investigations.

Other documents included social security numbers, names, and addresses
for over a hundred thousand brokers, credentials for remote access to ODS workstations, and communications meant for the Oklahoma Securities Commission.

The server also included email backups from 1999 to 2016, the largest and most recent reaching 16GB in size.

The exposed information includes passwords that could have used by an attacker to remotely access the state agency’s workstations, and credentials to access several internet services.

Digging in the archive it is also possible to find information related to people with AIDS including patient names and T cell counts.

“By the best available measures of the files’ contents and metadata, the data was generated over decades, with the oldest data originating in 1986 and the most recent modified in 2016,” reads a blog post published by UpGuard.

“The data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services, allowing any user from any IP address to download all the files stored on the server.”

UpGuard immediately notified the discovery to the ODS department, the storage server was secured by the agency.

The Oklahoma Securities Commission published a press release to disclose the data leak, it announced that a forensic team is still investigating the case.

“The Oklahoma Department of Securities (ODS) has initiated a comprehensive review of the circumstances surrounding an incident involving the inadvertent exposure of information during installation of a firewall.” reads the press release.

“An accidental vulnerability of limited duration to a server containing archived data was discovered and immediately secured. The ODS has notified law enforcement and OMES regarding the incident. A forensic team is currently conducting an analysis to determine the type and number of data files that may have been exposed and who may have accessed them.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Oklahoma Department, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]