Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Misconfigured Server Leaks Oklahoma Department of Securities Data

A storage server configured for public access was found to expose terabytes of data belonging to the Oklahoma Department of Securities, UpGuard reveals.

A storage server configured for public access was found to expose terabytes of data belonging to the Oklahoma Department of Securities, UpGuard reveals.

The server was found on December 7 and Oklahoma was notified of the exposure on December 8, when public access was removed. While it’s uncertain for how long the data store was exposed, the server first appeared on Shodan (a search engine for Internet-facing IP addresses) on November 30.

The data on the server totaled three terabytes and millions of files, containing personal information, system credentials, internal documentation, and communications intended for the Oklahoma Securities Commission, among others.

“The amount, and reach, of administrative and staff credentials represents a significant impact to the Oklahoma Department of Securities’ network integrity,” UpGuard says.

While analyzing the exposed data, UpGuard security researchers discovered that it was generated over the course of three decades, “with the oldest data originating in 1986 and the most recent modified in 2016.”

The server was exposed because of an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services, which allowed any user worldwide to download all of the stored files.

The researchers also note that the website for the Securities Commission uses outdated software, such as the web server IIS 6.0, which reached end of life in July 2015, which also represents a major security risk.

The server contained tens of file types, including over one hundred gigabytes (GB) of Outlook data files, nearly 60 GB of virtual machine disk files, nearly 50 GB of PDF files, 30 GB of log files, 23 GB of Outlook items, and 17 GB of ZIP archives.

The researchers found email backups from 1999 to 2016 on the server, and note that these PST files often include plaintext passwords, images of identification cards, tax documents, and internal strategic deliberations.

“Storing backups of email mailboxes is a common practice required by data detention policies. The contents of those backups rarely includes concentrated sensitive data, like in a user database, but over the course of thousands of emails people invariably reveal information intended to be private,” UpGuard notes.

One database included information on around ten thousand brokers, including their social security numbers. A CSV file contained date of birth, state of birth, country of birth, gender, height, weight, hair color, and eye color for over a hundred thousand brokers.

Credentials found on the server included VNC credentials for remote access to Department of Securities workstations, a BlueExpress database of credentials for third parties submitting securities filings, and a spreadsheet of IT services with the usernames and passwords for accounts with Thawte, Symantec Protection Suite, Tivoli, and others.

UpGuard also notes that “the scale of the data makes it impractical to perform any kind of exhaustive documentation of the exposed information.”

“Leaking three terabytes of the FBI’s data due to leaving a server unsecured without a password is a critical error and indicates the need for the Oklahoma Securities Commission, as well as other government agencies, to strengthen their current security measures to ensure future breaches can be avoided in the first place,” Jonathan Bensen, interim CISO and senior director of product management, Balbix, told SecurityWeek in an emailed comment.

“Leaving a database containing such critical information unsecured is an elementary mistake for which there is no excuse,” Bensen added.

Matan Or-El, co-founder and CEO of Panoarays, commented, “Data security is not necessarily always about protecting from attackers; quite often it’s about protecting against mistakes. The Oklahoma data leak is the latest in a long series of incidents in which sensitive data was exposed to the internet by mistake, where anyone could access it. By continuously monitoring the attack surface of an organization, one can learn a lot about the security and data hygiene practices of an organization.

Related: More .gov Domains Hit by Government Shutdown

Related: Elasticsearch Instances Expose Data of 82 Million U.S. Users

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Privacy

The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.