A trove of unprotected data including FBI investigations into corporations like AT&T, Goldman Sachs, and Lehman Brothers, along with personal information, has been exposed in a data leak by the Oklahoma Securities Commission.
Three terabytes of data – millions of files – were left on a server with no password protection, freely available to anyone who stumbled across them, according to cybersecurity researchers Greg Pollock and Chris Vickery at cybersecurity firm UpGuard.
New report this morning from my team within @UpGuard. The Oklahoma Department of Securities exposed an rsync host to the public internet with no username or password required to download. Mountains of broker PII and investigation files. https://t.co/BwnaImRdtv
— Chris Vickery (@VickerySec) January 16, 2019
The files belonged to the Oklahoma Securities Commission, the government agency that regulates all financial securities business in the state. Among them were FBI files dating back seven years, covering cases open since the 1980s.
These documents included spreadsheets, interviews with witnesses, bank records, and emails and letters from agents, witnesses, and subjects. Major companies involved with these cases included AT&T, Goldman Sachs, and Lehman Brothers.
Personal information on around ten thousand brokers was also exposed, including their social security numbers. Life insurance information, including names of AIDS patient and T cell counts was also revealed.
“It represents a compromise of the entire integrity of the Oklahoma department of securities’ network,” UpGuard’s head of research Chris Vickery told Forbes. “It affects an entire state level agency… It’s massively noteworthy.”
Hackers interested in the files could have acquired them with minimal effort. The server they were stored on was not password protected, and could have been identified with readily available software that scans the internet for such servers. Within the server, the UpGuard team found further vulnerabilities. Passwords for agency computers were stored there, and encrypted files were stored in the same folders as unencrypted versions.
Once the breach was discovered, the data was transferred to a secure server. But, UpGuard cannot tell who may have accessed it in the interim. Vickery told Forbes that the commission’s response was “irresponsible,” as the OSC seemed uninterested in checking what had been done with the data.
The Oklahoma Securities Commission is not the only government department to be caught with its pants down in recent years. A database of information on 191 million voters in all 50 states was left open to the public on an unconfigured server in 2015. In a similar case in 2011, the Texas Comptroller’s Office admitted that it had inadvertently stored 3.5 million Texans’ personal information on a publicly accessible state server.
The corporate world is also rife with similar stories. Last April, data from 48 million social media users was left in an unsecured Amazon server by LocalBlox, a data analytics company. In December, Level One Robotics, a company that provides robots for the auto industry, left data on an unsecure server. Auto giants Volkswagen, Chrysler, Ford, Toyota, General Motors and Tesla all had confidential data exposed in the leak.
Think your friends would be interested? Share this story!