The health, business and personal records of hundreds of thousands of Oklahomans and sensitive information from some FBI investigations may be compromised after a cyber security watchdog discovered millions of data files were left open to the public by the Oklahoma Securities Commission.
In their report, Upguard researchers said in some cases business transactions revealing social security numbers, height, weight, eye color, and birthdays of individual brokers were available. In other cases, health records disclosing the names and T-cell counts of patients with AIDS. In others still, passwords and account names to access state workstations to be used remotely.
Also among the data, sensitive information from seven years of FBI investigations including timelines and the names of people agents had interviewed. When asked, an FBI spokesperson told News9/Newson6 the Bureau could not comment.
According to Upguard analysts, the server which stored the information had been set up for public viewing going back to 2015, but it doesn’t appear to have been accessible until Nov. 2018. The information itself is in some cases decades old. The oldest piece of data was from 1986, the most recent was 2016.
The firm notified the Oklahoma Securities Commission December 8, and the files were taken down.
In an interview with Forbes magazine, Upguard’s head researcher said the breach is “massively noteworthy,” compromising the “entire integrity of the Oklahoma Dept. of Securities network.”
When asked about the breach the Commission Director Irving Faught only said the leak was under investigation, but he declined to comment any further. Several hours after declining, Faught released a statement about the investigation.
“A forensic team is currently conducting an analysis to determine the type and number of data files that may have been exposed and who may have accessed them,” Faught said. “The ODS is reviewing internal procedures, controls and security measures to ensure such incidents cannot occur in the future.” He also said the commission will notify anyone affected by the breach.
State agencies and commissions were asked to join a safer statewide cyber security system back in 2011. According to a spokesperson with the Office of Management and Enterprise Services, the OSC declined to join that system.