Oklahoma Securities Commission’s Data Availed in the Wild
Poor cyber-hygiene is to blame for access to unencrypted sensitive data, highlighting issues with data security
Security researchers at UpGuard recently uncovered a backup data store that had been poorly configured by the State of Oklahoma. In the case of the Oklahoma Securities Commission (OSC), you’d think that cybersecurity strategy, architecture and implementation were not part of the foundational elements within its mission, and you’d probably be correct.
Imagine the subject of an investigation by the OSC and FBI being able to review the material held by the OSC because the door to the file room was left open and unintended. That is precisely what occurred in Oklahoma. The access achieved by UpGuard revealed basic cyber-hygiene issues within the OSC.
Just how bad were the OSC’s issues? The commission apparently stored an encrypted version of a file in the same folder as the unencrypted version of the file. Additionally, it maintained spreadsheets, in unencrypted form, that detailed account access data to include passwords and authentication answers/details.
It appeared to UpGuard researchers that at least seven years of information pertaining to law enforcement efforts, including the FBI, were available for perusing due to a rsync server misconfiguration.
Think about that: Three terabytes of FBI data left on an unsecured server, not even password-protected.
Cybersecurity 101 calls for the protection of sensitive data.
The question that needs to be asked and asked again and again is, How often is the environment where sensitive data is placed tested to ensure it is secure? Is data security being taken seriously?
Oklahoma’s Response
ODS issued the following non-response: “… [T]he Oklahoma Department of Securities (ODS) has notified law enforcement. … A forensic team is conducting an analysis. … The accidental vulnerability was of limited duration to a server containing archived data was discovered and immediately secured.”
It added the warning not to hold your breath, “The Department intends to make no further comment until the investigation is concluded and pertinent facts are established.” True to its word, ODS hasn’t made any further comments.
While the OSC and ODS performed their investigation, others shared what had been exposed.
Threat Post relayed that a CSV was found in the exposed data store which carried the label “IdentifyingInformation.csv.” The CSV filed contained the personal identifying information of more than 100,000 financial brokers. The level of information was granular: “date, country and state of birth, gender, height, weight, hair color and eye color,” according to Threat Post.
Also found was a database that contained data of individuals who were attempting to sell their life insurance benefits, also known as “viators” (a viatical settlement), Threat Post reported. The information in the databases was related to those diagnosed with AIDS, including the individuals’ names and T-cell counts.
In a nutshell, the backup data store of the OSC was comprehensive, historical and available.
The culture of the emu seems to have been driving the data security environment of the OSC/ODS.
Perhaps a better rule of thumb and strategy would be to follow the age-old adage, “Don’t collect what you won’t protect.”
Know Your RSYNC
To its credit, UpGuard has been providing guidance on configuring rsync servers, gratis. The firm’s how-to guide, “Secure Rsync in the Enterprise,” walks system administrators through the configuration of remote synchronization (rsync).
If you are backing up your data—as you should be—then do it right and afford the same level of protection for your production data environment as you do your archival.
