Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Misconfigured Server Leaks Oklahoma Department of Securities Data

A storage server configured for public access was found to expose terabytes of data belonging to the Oklahoma Department of Securities, UpGuard reveals.

A storage server configured for public access was found to expose terabytes of data belonging to the Oklahoma Department of Securities, UpGuard reveals.

The server was found on December 7 and Oklahoma was notified of the exposure on December 8, when public access was removed. While it’s uncertain for how long the data store was exposed, the server first appeared on Shodan (a search engine for Internet-facing IP addresses) on November 30.

The data on the server totaled three terabytes and millions of files, containing personal information, system credentials, internal documentation, and communications intended for the Oklahoma Securities Commission, among others.

“The amount, and reach, of administrative and staff credentials represents a significant impact to the Oklahoma Department of Securities’ network integrity,” UpGuard says.

While analyzing the exposed data, UpGuard security researchers discovered that it was generated over the course of three decades, “with the oldest data originating in 1986 and the most recent modified in 2016.”

The server was exposed because of an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services, which allowed any user worldwide to download all of the stored files.

The researchers also note that the website for the Securities Commission uses outdated software, such as the web server IIS 6.0, which reached end of life in July 2015, which also represents a major security risk.

The server contained tens of file types, including over one hundred gigabytes (GB) of Outlook data files, nearly 60 GB of virtual machine disk files, nearly 50 GB of PDF files, 30 GB of log files, 23 GB of Outlook items, and 17 GB of ZIP archives.

Advertisement. Scroll to continue reading.

The researchers found email backups from 1999 to 2016 on the server, and note that these PST files often include plaintext passwords, images of identification cards, tax documents, and internal strategic deliberations.

“Storing backups of email mailboxes is a common practice required by data detention policies. The contents of those backups rarely includes concentrated sensitive data, like in a user database, but over the course of thousands of emails people invariably reveal information intended to be private,” UpGuard notes.

One database included information on around ten thousand brokers, including their social security numbers. A CSV file contained date of birth, state of birth, country of birth, gender, height, weight, hair color, and eye color for over a hundred thousand brokers.

Credentials found on the server included VNC credentials for remote access to Department of Securities workstations, a BlueExpress database of credentials for third parties submitting securities filings, and a spreadsheet of IT services with the usernames and passwords for accounts with Thawte, Symantec Protection Suite, Tivoli, and others.

UpGuard also notes that “the scale of the data makes it impractical to perform any kind of exhaustive documentation of the exposed information.”

“Leaking three terabytes of the FBI’s data due to leaving a server unsecured without a password is a critical error and indicates the need for the Oklahoma Securities Commission, as well as other government agencies, to strengthen their current security measures to ensure future breaches can be avoided in the first place,” Jonathan Bensen, interim CISO and senior director of product management, Balbix, told SecurityWeek in an emailed comment.

“Leaving a database containing such critical information unsecured is an elementary mistake for which there is no excuse,” Bensen added.

Matan Or-El, co-founder and CEO of Panoarays, commented, “Data security is not necessarily always about protecting from attackers; quite often it’s about protecting against mistakes. The Oklahoma data leak is the latest in a long series of incidents in which sensitive data was exposed to the internet by mistake, where anyone could access it. By continuously monitoring the attack surface of an organization, one can learn a lot about the security and data hygiene practices of an organization.

Related: More .gov Domains Hit by Government Shutdown

Related: Elasticsearch Instances Expose Data of 82 Million U.S. Users

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...