3 terabytes of data, which contained millions of sensitive files, was found to be left unsecured on a storage server for at least a week. The data belonged to the Oklahoma Department of Securities (ODS).
Security researcher Greg Pollock from UpGuard uncovered the data, which amounted to millions of files, some of them sensitive FBI data with information on investigations. They were being held on the server, with no password, making it accessible to anyone with an internet connection.
Chris Vickery, head of research at UpGuard said: “It represents a compromise of the entire integrity of the Oklahoma Department of securities’ network, It affects an entire state level agency. … It’s massively noteworthy.”
Vickery went on to say that they were surprised by the varied nature of the data. The data included FBI investigations that went back 7 years, with the earliest file creation date being in 2012. This data included emails from people involved in cases, bank transaction histories and interview timelines. And that was just the FBI data.
Other data stemmed back to the 1980s and onwards, with thousands of social security numbers and email archives.
When asked for comment, the Oklahoma Department of Securities said:
“This matter is under investigation and the department has no further comment at this time,”
It is reported that ODS was informed of the exposed server in mid-December of last year, and quickly took action to remove the server from public view. However, Vickery still deems the department’s response as “irresponsible.” This is because, although UpGuard and Vickery were thanked for bringing the issue to the department’s attention, they were not engaged in a discussion.
Vickery also highlights various other security concerns related to the server, leading many to the conclusion that the department is not taking their cybersecurity seriously on multiple levels. For example, Passwords for computers on the Oklahoma government’s network were revealed, as well as an encrypted version of a document being stored in the same location as the unencrypted version. He also stated that the passwords were not complicated, suggesting that the department is not enforcing safe password practices, further putting them in danger.
Government servers contain lots of sensitive information that could prove troublesome or even disastrous if the information was to get into the wrong hands. However, the level of sensitivity of the data, and their effort into protecting it don’t seem to match in many instances. You would expect that with highly sensitive data, you would protect it with highly specialized cybersecurity, at the very least, strong passwords.
This could be due to lack of funding in cybersecurity within these departments, or due to lack of knowledge about how easy it would be for hackers to scan for such information. Either way, it’s clear that more needs to be done by government agencies to protect their data in a time when hackers are becoming increasingly sophisticated.