Review Underway After Millions Of Oklahomans' Personal Information Exposed
Oklahoma City, OK - Personal information from people across the state is at risk after a data breach at the Oklahoma Department of Securities.
Cyber Security watchdog, Upguard discovered the ODS left millions of documents visible online for at least a week last month.
According to the report, several social security numbers were exposed, many belonging to financial security brokers.
FBI investigations details were also leaked, including timelines and names of people interviewed.
Medical information from terminally ill patients was vulnerable during the breach, including T cell counts from Oklahoma AIDS patients.
“The fact that some people's status may have been made public without their consent or their will is not just illegal, it's really sad on a humanitarian level,” President of the Board of the Oklahoma AIDS Care Fund, Andy Moore, said.
Francis Tuttle Cyber Security Director, Greg Porter, says the leak could have been prevented, but likely occurred due to oversight.
“Apparently it wasn't encrypted, which is basically the only real protection we have,” Porter said.
Porter says the repercussions of the file leak have yet to be seen, but in the worst cases, could lead to identity theft or medical issues for victims.
However, Porter says the state can pass cyber security legislation to reduce the chances of this happening again.
“It’s kind of like the internet tax. The enforcement and the process of implementing it may be difficult, but I think that's probably the only way they're going to go,” Porter said.
According to a statement from the ODS, preventive steps are already being taken.
The ODS declined an interview opportunity with News 9 but sent the following statement regarding the breach:
“The Oklahoma Department of Securities (ODS) has initiated a comprehensive review of the circumstances surrounding an incident involving the inadvertent exposure of information during installation of a firewall. An accidental vulnerability of limited duration to a server containing archived data was discovered and immediately secured. The ODS has notified law enforcement and OMES regarding the incident. A forensic team is currently conducting an analysis to determine the type and number of data files that may have been exposed and who may have accessed them. The ODS is also exploring remedial actions and notifications for anyone whose information may have been exposed. The ODS is reviewing internal procedures, controls and security measures to ensure such incidents cannot occur in the future.
The Department intends to make no further comment until the investigation is concluded and pertinent facts are established.”