A server at the Oklahoma Securities Commission exposed millions of sensitive files, including thousands of individuals’ Social Security numbers and other personal identifying information, the names and conditions of terminally ill AIDS patients and email archives going back to 1999, as well as information related to FBI investigations.
The exposure was discovered by the cybersecurity firm UpGuard, which announced Wednesday that it had notified state officials about it late last year. In a post on its website, the company says on Dec. 7 one of its analysts spotted the commission’s server on Shodan, a search engine for internet-connected devices, and identified it as potentially storing sensitive files. Oklahoma officials were notified the next day, and public access to the server was removed.
While the information was technically accessible through the open internet, UpGuard did not report any evidence that it was downloaded by malign actors nor used for illicit purposes. The Oklahoma Securities Commission did not respond to a request for comment on the breach.
The commission is responsible for regulating the financial industry’s activity in the state and protecting residents from fraud. In doing so, it maintains records on financial professionals and companies doing business there. According to UpGuard, some of the exposed files date back to 1986, with the most recent being created or modified in 2016.
In its report, UpGuard ranks the server as the most vulnerable across Oklahoma state government. The commission’s website runs on a version of Microsoft’s Internet Information Services web server that the company stopped supporting in July 2015, and has therefore not had any vulnerabilities patched in more than three years.
“Of all the sites on the ok.gov domain, securities.ok.gov has the worst risk score,” UpGuard’s report reads.
The Oklahoma Securities Commission is one of a handful of the state’s agencies that is not supported by the Office of Management and Enterprise Services, the state’s information technology agency. As an independent commission, it opted out of consolidating its IT infrastructure along with the rest of the state. As a result, it does not receive services from OMES, Shelley Zumwalt, the office’s public affairs director, told StateScoop.
UpGuard’s analysts found 17 years’ worth of email archives, along with a trove of virtual machine disk image backups. Those include system credentials, financial information, and personal files that users created or opened on their work machines. The disk images could also contain users’ internet browsing history and cached passwords.
UpGuard also found accounting and administration files containing vast amounts of personal information of thousands of financial professionals. A Microsoft Access database on the exposed server contained the Social Security numbers of about 10,000 brokers, while a spreadsheet labeled “IdentifyingInformation.csv” contained the birth dates, birth locations, heights, weights and eye colors for as many as 100,000 brokers.
A third database contained the health information of “viators,” an insurance-industry term for terminally ill patients who sell their policies to a third party. The Oklahoma database included the names and cell counts of AIDS patients, UpGuard found.
UpGuard also found correspondence related to FBI investigations going back to 2012. While alarming, the FBI files account for a small portion of the overall exposure, Chris Vickery, UpGuard’s director of risk research, told StateScoop.
“Honestly, the biggest part of the whole thing that isn’t being talked about enough is the 17 years of email backups,” he said.
The server also exposed login names and passwords used by commission employees, registered brokers and third-party vendors, which UpGuard claims could’ve increased the risk of additional exposures, had the server remained unsecured.
“While exposed system credentials do not immediately impinge on individuals’ privacy in the same way that exposed personal information does, they carry systemic risk that may result in secondary breaches,” the report reads.