Oklahoma gov data leak exposes FBI investigation records, millions of department files
Researchers have disclosed the existence of a server exposed to the public which not only contained terabytes of confidential government data but information relating to FBI investigations.
According to UpGuard cybersecurity researchers Greg Pollock and Chris Vickery, the open storage server belonged to the Oklahoma Department of Securities (ODS), a US government department which deals with securities cases and complaints.
The database was found through the Shodan search engine which registered the system as publicly accessible on 30 November 2018. The UpGuard team stumbled across the database on 7 December and notified the department a day later after verifying what they were working with,
To ODS’ credit, the department removed public access to the server on the same day.
“The data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services (OMES), allowing any user from any IP address to download all the files stored on the server,” the researchers say.
Update 18.47 GMT: An Office of Management and Enterprise Services spokesperson told ZDNet:
“All state IP addresses, and many city and county addresses, are registered to OMES, but the agency has no visibility into the computer systems at the Oklahoma Department of Securities. For the past eight years the state has been working to consolidate all IT infrastructure under OMES and ODS had the option to consolidate its systems voluntarily and they did not.”
In order to examine the security breach, the team was able to download the server’s contents. The oldest records dated back to 1986 and the most recent was timestamped in 2016. In total, three terabytes of information representing millions of files. Contents ranged from personal data to system credentials and internal communication records.
“The amount, and reach, of administrative and staff credentials represents a significant impact to the Oklahoma Department of Securities’ network integrity,” the researchers say.
The data was stored in various formats. Email inbox storage backups represented a significant proportion of the leaked data, as well as virtual machine backups of ODS machines.
The stored information also included spreadsheets of IT credentials for accounts with Thawte, Symantec Protection Suite, Tivoli, and others; a BlueExpress database of account details for third parties submitting security filings; credentials required for remote access to ODS workstations; training documents; email histories, and files relating to ODS investigations.
Speaking to Forbes, Vickery added that there was a treasure trove of data relating to FBI cases. These files contained archives of enforcement actions dating back seven years including bank transaction histories, emails back-and-forth between those involved in cases, and copies of letters from subjects involved in investigations conducted by the FBI.
In a statement, the ODS confirmed there had been an “inadvertent exposure of information during installation of a firewall,” and after the exposure was discovered it was “immediately secured.”
“A forensic team is currently conducting an analysis to determine the type and number of data files that may have been exposed and who may have accessed them,” the department added. “The ODS is also exploring remedial actions and notifications for anyone whose information may have been exposed.”
This incident might encourage ODS to take cybersecurity more seriously in the future. According to UpGuard metrics, the organization’s web domain has the worst risk of breach score of all websites on the ok.gov domain.