Oklahoma Agency's Data Exposure Included AIDS Patients' Data

The breach included FBI investigations, names of AIDs patients, and personally identifiable information for at least 100,000 finances brokers for the past three decades. It was online for about a week last year.

by Dale Denwalk, The Oklahoman / January 17, 2019

(TNS) — A cybersecurity research team discovered millions of files unsecured and open to the public on a server belonging to the Oklahoma Department of Securities, team members reported Wednesday.

The UpGuard Data Breach Research team found three terabytes and millions of files that could have been accessed by virtually anyone. The data included names of AIDS patients, details about FBI investigations and personally identifiable information for at least 100,000 finance brokers going back three decades.

In a statement, the FBI said it was aware of the exposure. Spokeswoman Andrea Anderson said any archived content related to FBI investigations appears to be limited, with minimal association to any ongoing law enforcement activity.

According to UpGuard's report, it appears the server had been active and open since at least November. The cybersecurity researchers found the server on Dec. 7 and notified the department the next day. Public access to the server was removed immediately, UpGuard said, and the data was only vulnerable for about a week, but it's not clear whether anyone else accessed the server.

The data includes sensitive information about those involved in the exchange of financial securities. According to the report, it appears the oldest data was generated in 1986 and it was most recently modified in 2016.

One database contained about 10,000 Social Security numbers of brokers. Another document contained birth information, gender and other identifying characteristics like eye color for 100,000 brokers.

UpGuard also reported it found a database that contained information about people with AIDS who were selling life insurance benefits, including names and T cell counts.

For the past eight years, the state has attempted to consolidate its IT infrastructure under the Office of Management and Enterprise Services. Unlike most other state agencies, the Oklahoma Department of Securities opted not to consolidate.

OMES was in the process of reaching out to the Securities Department and urged department officials to contact the FBI. An OMES spokeswoman said the Oklahoma Cyber Command had no visibility of the Securities Department's computer systems and did not vet the department's IT vendors.

"We figured we could handle our internal computer usage directly," Securities Department Administrator Irving Faught said Wednesday. "We felt, at the time, that it was better for the agency."

The department is taking the issue seriously and ordered a forensic investigation, Faught said. He declined to offer details about the breach or the aftermath, but said the department employs its own IT staff and uses outside vendors for some services.

"It depends on how the investigation comes out, but of course if we've exposed anybody's information, we will of course notify them," Faught said.

In a separate statement, Faught said the server was exposed during installation of a firewall, which is a network system that monitors traffic and is used to create a barrier between sensitive infrastructure and the public internet.

The kind of breach-and-report activity performed by UpGuard is used by white-hat hackers to expose and correct vulnerabilities that could lead to a personal data theft. UpGuard provides cybersecurity services and regularly monitors the web for public data exposures.

The group's report notes that the Securities Department's website appears to be the least secure of all sites with an ok.gov address. UpGuard found the site was running on a web server that is no longer supported by its manufacturer, which could allow a malicious hacker to take control.

UpGuard said it found passwords that could let hackers remotely access Securities Department workstations. A spreadsheet contained login information and passwords for several internet services, including anti-virus software.

©2019 The Oklahoman. Distributed by Tribune Content Agency, LLC.

Platforms & Programs