Yesterday, the Oklahoma Securities Commission unveiled they suffered data leak discovered in December 2018. The organization is responsible for preventing fraud and for ensuring individuals and corporations trade securities with the proper certification at the state level.
UpGuard cybersecurity researcher Greg Pollack discovered the leak. The Commission stored millions of their files—3 terabytes of data—on a rsync server. The server possessed no identity or access management security whatsoever. In fact, The Oklahoma Securities Commission did not even password protect this critical server; anyone connecting to the server with an IP address could access it.
According to an UpGuard post detailing the leak, it is unclear when the server first became public. Evidence points to the server first becoming publicly accessible in November 2018. Since its discovery, the server has been removed from public access. However, whether the server ever experienced unauthorized access during its brief window of exposure remains unknown.
What Data Leaked?
The files in question contained information on sensitive subjects, including FBI investigations, enforcement actions, and bank transaction histories. The leaked data also contained statements from witnesses and sources in FBI cases and information on major corporations like AT&T. Chris Vickery, Head of Research at upGuard, noted the leaked files contained data from between 1986 and at least 2016.
Vickery said: “It represents a compromise of the entire integrity of the Oklahoma department of securities’ network. It affects an entire state level agency. … It’s massively noteworthy.” Additionally, he criticized the Oklahoma Securities Commission lackadaisical response to the data leak. Their identity security behavior overall indicated neglect of access management best practices.
Charles Kaiser, Spokesperson for the Oklahoma Securities Commission, said in a statement: “This matter is under investigation and the department has no further comment at this time.”
To the editors of Solutions Review, the Oklahoma Securities Commission Breach demonstrates the danger of allowing your access management policies to lapse or treating your sensitive data irresponsibly. If you treat your identity and access management as an afterthought, you may end up publically leaking information damaging to your enterprise’s bottom line or reputation. However, we wanted more insight into this grievous data exposure.
Therefore, we sought the opinion of cybersecurity experts to learn what enterprises can learn from the Oklahoma Securities Commission Breach. Here’s what they had to say:
Anurag Kahol, CTO, Bitglass
“What is especially troubling about this data leak is the seemingly blasé response from the Oklahoma Securities Commission. Leaving a database containing highly sensitive information unprotected and publicly accessible is careless and irresponsible; additionally, the agency is worsening the situation by failing to address the issue directly with the public. While all organizations need to defend their data, government agencies, in particular, must adhere to the highest of security standards – the type of information that they collect, store, and share demands it.
These kinds of leaks can have lasting consequences for all parties involved. To prevent such breaches, all organizations, including government agencies, must adopt modern security technologies. Dynamic identity and access management solutions, for instance, can verify users’ identities, detect potential intrusions, and enforce multi-factor authentication in a real-time, step-up fashion.”
Carl Wright, CCO, AttackIQ
“Data leaks are often caused by gaps in security programs that can be easily prevented. The Oklahoma Securities Commission’s leak of three terabytes of FBI data could have been avoided if they had visibility into the state of their defenses.
All organizations, including government agencies, must take a proactive approach to protecting sensitive data through continuous evaluation of their security controls, processes and people to uncover and remediate gaps that could be compromised by threat actors.”
Jonathan Bensen, interim CISO and senior director of product management, Balbix
“Leaking three terabytes of the FBI’s data due to leaving a server unsecured without a password is a critical error and indicates the need for the Oklahoma Securities Commission, as well as other government agencies, to strengthen their current security measures to ensure future breaches can be avoided in the first place.
Leaving a database containing such critical information unsecured is an elementary mistake for which there is no excuse. That said, organizations are increasingly struggling to maintain continuous visibility of all of their assets and successfully monitor the growing number of potential threats. Monitoring and analyzing the attack surface Analyzing and improving enterprise security posture is simply no longer a human scale problem. To best combat these threats, agencies must implement security tools that use machine learning and automation to monitor their enormous attack surfaces and vast IT asset landscape to proactively identify and address security vulnerabilities to mitigate the risk of future breaches.”
Thank you to these cybersecurity experts for their time and expertise!