An unsecured storage server belonging to the Oklahoma Department of Securities exposed millions of files, containing personal data, systems credentials and internal commission documents as well as communications meant for the Oklahoma Securities Commission.
The server, discovered by the UpGuard Data Breach Research team, has since been secured, the researchers said in a blog post.
While UpGuard doesn’t know how long the server was open to the public – the Shodan search engine first found it to be publicly available on Nov. 30, 2018 – the data it housed “was generated over decades, with the oldest data originating in 1986 and the most recent modified in 2016,” the researchers wrote of the exposure, which they said could have a “severe impact” on the department’s network integrity. “The data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services, allowing any user from any IP address to download all the files stored on the server.”
Noting that “administrative and management errors” exposed nearly three terabytes of data at the commission, worsened because “most of the data across these many millions of files were not encrypted,” CipherCloud CEO Pravin Kothari, said that if data is encrypted, even when exposed, it’s not, by definition, considered breached.
“Sensitive data is often shared in vulnerable places, so Oklahoma’s potential breach of 3TB of FBI data isn’t especially shocking,” said Kevin Bocek, vice president, security strategy and threat intelligence at Venafi. “However, if we examine securities.ok.gov, it appears that the state is not using trusted machine identities, like TLS keys and certificates.”
UpGuard said “the scale of the data makes it impractical to perform any kind of exhaustive documentation of the exposed information” so researchers instead scrutinized the types of digital artifacts – stored emails and virtual machine disk images – and types of data they contained, including personal information, system credentials and business data.
While the department failed to maintain control over its data stores, the researchers wrote, “the good news is that, while the contents of the server extended over years, the known period of exposure was quite short.”