Oklahoma Securities Commission inadvertently leaked 3 TB data including years of FBI data

• An unsecured storage server belonging to the Oklahoma Securities Commission exposed millions of files including sensitive FBI investigations.
• The exposed files included years of FBI data including FBI interviews, emails among people involved with investigations, bank transaction history, and letters from witnesses.

An unprotected storage server belonging to the Oklahoma Department of Securities exposed millions of files, containing personal data, systems credentials, as well as sensitive FBI investigations. The server was left publicly available with no password, accessible to the public with an internet connection.

The UpGuard Data Breach Research team discovered the open server via Shodan search engine on December 7, 2018. UpGuard reported the unsecured server to Oklahoma on December 8, 2018. The research team noted that the server was publicly available since November 30, 2018.

What was exposed?

Chris Vickery, head of research for UpGuard, reported to Forbes that the server contained files containing seven years' worth of FBI data. The files included,

• FBI interviews
• Email archives from parties involved in FBI investigations
• Bank transaction histories
• Letters from subjects, witnesses, and other parties
• Thousands of social security numbers from the 1980s onwards

“The FBI files contained ‘all sorts of archive enforcement actions’ dating back seven years (the earliest file creation date was 2012). The documents included spreadsheets with agent-filled timelines of interviews related to investigations, emails from parties involved in myriad cases and bank transaction histories. There were also copies of letters from subjects, witnesses and other parties involved in FBI investigations,” Vickery said.

Major companies such as AT&T, Goldman Sachs, and Lehman Brothers were also named in the exposed FBI file.

What happened?

The UpGuard Data Breach Research team described the leaky server in a blog stating that the data in the server was exposed via an unsecured rsync service.

“The data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services, allowing any user from any IP address to download all the files stored on the server,” UpGuard wrote.

“The scale of the data makes it impractical to perform any kind of exhaustive documentation of the exposed information, so researchers instead scrutinized the types of digital artifacts – stored emails and virtual machine disk images – and types of data they contained, including personal information, system credentials, and business data,” UpGuard added.

What were the immediate actions taken?

Upon learning about the incident on December 8, 2019, the commission quickly removed the server from the public internet.

“This matter is under investigation and the department has no further comment at this time,” Charles Kaiser, a spokesperson for Oklahoma Securities Commission said.

“The good news is that, while the contents of the server extended over years, the known period of exposure was quite short,” Research team at Upguard concluded.