Connect with us

Hi, what are you looking for?


Data Protection

Misconfigured Server Leaks Oklahoma Department of Securities Data

A storage server configured for public access was found to expose terabytes of data belonging to the Oklahoma Department of Securities, UpGuard reveals.

A storage server configured for public access was found to expose terabytes of data belonging to the Oklahoma Department of Securities, UpGuard reveals.

The server was found on December 7 and Oklahoma was notified of the exposure on December 8, when public access was removed. While it’s uncertain for how long the data store was exposed, the server first appeared on Shodan (a search engine for Internet-facing IP addresses) on November 30.

The data on the server totaled three terabytes and millions of files, containing personal information, system credentials, internal documentation, and communications intended for the Oklahoma Securities Commission, among others.

“The amount, and reach, of administrative and staff credentials represents a significant impact to the Oklahoma Department of Securities’ network integrity,” UpGuard says.

While analyzing the exposed data, UpGuard security researchers discovered that it was generated over the course of three decades, “with the oldest data originating in 1986 and the most recent modified in 2016.”

The server was exposed because of an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services, which allowed any user worldwide to download all of the stored files.

The researchers also note that the website for the Securities Commission uses outdated software, such as the web server IIS 6.0, which reached end of life in July 2015, which also represents a major security risk.

Advertisement. Scroll to continue reading.

The server contained tens of file types, including over one hundred gigabytes (GB) of Outlook data files, nearly 60 GB of virtual machine disk files, nearly 50 GB of PDF files, 30 GB of log files, 23 GB of Outlook items, and 17 GB of ZIP archives.

The researchers found email backups from 1999 to 2016 on the server, and note that these PST files often include plaintext passwords, images of identification cards, tax documents, and internal strategic deliberations.

“Storing backups of email mailboxes is a common practice required by data detention policies. The contents of those backups rarely includes concentrated sensitive data, like in a user database, but over the course of thousands of emails people invariably reveal information intended to be private,” UpGuard notes.

One database included information on around ten thousand brokers, including their social security numbers. A CSV file contained date of birth, state of birth, country of birth, gender, height, weight, hair color, and eye color for over a hundred thousand brokers.

Credentials found on the server included VNC credentials for remote access to Department of Securities workstations, a BlueExpress database of credentials for third parties submitting securities filings, and a spreadsheet of IT services with the usernames and passwords for accounts with Thawte, Symantec Protection Suite, Tivoli, and others.

UpGuard also notes that “the scale of the data makes it impractical to perform any kind of exhaustive documentation of the exposed information.”

“Leaking three terabytes of the FBI’s data due to leaving a server unsecured without a password is a critical error and indicates the need for the Oklahoma Securities Commission, as well as other government agencies, to strengthen their current security measures to ensure future breaches can be avoided in the first place,” Jonathan Bensen, interim CISO and senior director of product management, Balbix, told SecurityWeek in an emailed comment.

“Leaving a database containing such critical information unsecured is an elementary mistake for which there is no excuse,” Bensen added.

Matan Or-El, co-founder and CEO of Panoarays, commented, “Data security is not necessarily always about protecting from attackers; quite often it’s about protecting against mistakes. The Oklahoma data leak is the latest in a long series of incidents in which sensitive data was exposed to the internet by mistake, where anyone could access it. By continuously monitoring the attack surface of an organization, one can learn a lot about the security and data hygiene practices of an organization.

Related: More .gov Domains Hit by Government Shutdown

Related: Elasticsearch Instances Expose Data of 82 Million U.S. Users

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.