Millions of sensitive files dating back decades have been exposed after 3TB of data on a storage server was left publicly exposed by the Oklahoma Securities Commission.
Researchers at UpGuard made the discovery on December 7 last year and it was fixed a day later by the commission, part of the state’s Department of Securities which regulates and administers the trading securities sector.
It was first registered as publicly accessible by Shodan a week earlier.
“The data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services, allowing any user from any IP address to download all the files stored on the server,” explained the security vendor.
“The website for the Securities Commission has an UpGuard Cyber Risk score of 171 out of 950, indicating severe risk of breach. Among the issues lowering the website’s score is the use of the web server IIS 6.0, which reached end of life in July 2015, meaning no updates to address any newly discovered vulnerabilities have been released in the last three and a half years.”
The data, which dated back to 1986 and included email back-ups and virtual images, covered a broad sweep of different areas.
These included personal information such as the Social Security numbers of 10,000 brokers, and highly sensitive life insurance information on terminally ill AIDS patients.
Also exposed were system credentials which could allow an attacker to hijack Department of Securities workstations, third-party security filings, and accounts with Thawte, Symantec Protection Suite, Tivoli and others.
The leaked data also included “spreadsheets documenting the timeline for investigations by the FBI and people they interviewed,” potentially putting witnesses at risk.
“We need to stop making it so easy for hackers and bad actors who are simply using tools that have been around for years,” argued Suzanne Spaulding, Nozomi Networks adviser and former DHS under secretary.
“Hackers use a tool called Shodan that allows anyone to scan the internet, looking for devices and computers, connected to the internet, but not protected.”