State agency exposes 3TB of data, including FBI info and remote logins

Oklahoma’s Department of Securities (ODS) exposed three terabytes of files in plain text on the public internet this month, which contained sensitive data including social security numbers, details of FBI investigations, credentials for remote access to computers, and the names of AIDS patients.

Researchers at security company UpGuard found the files using the Shodan search engine, which indexes internet-connected devices. In this case, they ran across an unsecured rsync server registered to ODS.

Rsync is a utility commonly found on Unix and Linux systems that enables administrators to synchronize files between different computers. It is used for ‘delta’ syncing, in which one computer copies to another only the parts of files that have changed, enabling them to maintain identical copies of the files in different locations.

The unsecured computer that UpGuard found to be using rsync meant that anyone could access the data by visiting its IP address. It’s impossible to know who else may have found it first. The one upside is that the data was identified just one week after it was exposed.

The data trove contained millions of files dating back to 1986, according to UpGuard’s report, with the most recent files dated 2016. They offered up sensitive data ranging from personal information (PII) to internal documentation, the researchers explained.

The files included PII on over 100,000 securities brokers, including the social security numbers for around 10,000 of them. One database included the names of AIDS patients.

It also contained system credentials, including remote login access for ODS workstations, login credentials for people submitting securities filings, and access credentials for third-party IT services.

The files even gave away details of FBI investigations, detailing timelines and people that the agency interviewed.

Among the files were backups of Microsoft Exchange emails dating from 1999 to 2016. The 2016 file alone had 16Gb of information. The researchers also found virtual machine backups.

The researchers said:

The amount, and reach, of administrative and staff credentials represents a significant impact to the Oklahoma Department of Securities’ network integrity.

That integrity wasn’t stellar to begin with, according to the report. UpGuard scores websites based on their security, and the Oklahoma Securities Commission (part of ODS) scored a paltry 171 out of 950 (the worst score on the domain), indicating severe risk of breach. One of the reasons for this low score was the Commission’s use of IIS 6.0, which Microsoft stopped supporting in July 2015.

The IP address with the insecure rsync server was registered to the Oklahoma Office of Management & Enterprise Services (OMES), which is a department providing services, including IT operations, to Oklahoma government agencies.

OMES doesn’t provide the ODS with IT services, a OMES spokesperson told me when I reached out for a comment.

The spokesperson explained that OMES provides IT services under a consolidation program created in 2011 as part of state bill HB 1304 designed to make IT more efficient across state agencies and departments. The IT consolidation program was mandatory for agencies that receive state dollars.

Many independent commissions that are not funded by the State Government chose to use the OMES IT services voluntarily, she said. The Oklahoma Securities Commission, which leads the ODS, isn’t funded by the State Government and opted out. The OMES spokesperson added:

We have a cybersecurity team that’s actually nationally recognized and they’ve made contact with the agency and offered resources to them. A letter went out yesterday offering them the cyber insurance that we have going forward. Our robust team has made overtures toward the agency to try and avoid this happening again.

The Commission has said that it will not comment beyond a statement released earlier this week, in which it promised a thorough investigation. It said:

The ODS is also exploring remedial actions and notifications for anyone whose information may have been exposed. The ODS is reviewing internal procedures, controls and security measures to ensure such incidents cannot occur in the future.

This article was updated 17:15 GMT to include comments from an OMES spokesperson to Naked Security.