Millions of Files Leaked from Oklahoma Department of Securities Database

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
The UpGuard Data Breach Research team, who previously uncovered data breaches in U.S. voting systemsand an Experian partner, recently exposed a massive leak from Oklahoma's Department of Securities. The contents of the files "ran the gamut from personal information to system credentials to internal documentation and communications intended for the Oklahoma Securities Commission," but the sheer bulk of the 3TB of data is made up of Outlook backup archives dating back to at least 1999, while some data goes back to 1986. Among other things, the leak contained the social security numbers of "approximately ten thousand brokers." identifying information on over a hundred thousand brokers, sensitive medical data, credentials for various IT services, and files related to investigations and FBI interviews. While UpGuard's post wasn't particularly critical, Chris Vickery, head of research at UpGuard, told Forbes that the department's response was "irresponsible," as they "didn't check to see what was done with the mass of data downloaded by the researchers." UpGuard also found some glaring security oversights in the leaked data, such as decrypted versions of documents being stored in the same folder as encrypted versions.

Businesses and organizations naturally accumulate stores of data, both because of the value of that data and to comply with retention policies. Creating backups is a good practice to increase resilience in the face of attacks like ransomware. Backups are also necessary for migrations to ensure data can be recovered as businesses adopt newer and more secure technologies. But as this case highlights, the final crucial step is to maintain control over every copy of those data stores. The good news is that, while the contents of the server extended over years, the known period of exposure was quite short. Thanks to the Data Breach Research team's techniques for quickly identifying risks, the exposure was identified only one week after it showed up in Shodan's catalogue of global IP addresses. Shortening the window of exposure reduces the likelihood of other parties accessing the data and enables its owners to take responsive measures before the data is used maliciously.
 
At this point everyone's information is already out there so if you change your password regularly then that's probably your best defense.
 
Lol, Outlook. People love to keep 50,000 emails "just in case they need to access them!" instead of filing away that information like an intelligent person would.

Outlook is a plague.
 
I wonder if the OK Dept of Securities IT section has been assimilated by OMES yet? Many years ago there was a OK legislative mandate to consolidate all IT into one central agency which wound up being called OMES. During one of the assimilation meetings with the agency I used to work for(not the Dept of Securities), OMES leadership said our Help Desk response time of a 2 hour callback set too good of a standard. Turns out the OMES standard was a 5 day call back. This wasn't a have a solution time frame, just the time allowed for a tech to contact the person filing the trouble ticket. If they applied the same vigor toward security, could well explain this screw up.

Link to the OMES page showing the OK Dept of Securities: https://www.ok.gov/cio/Business_Segments/Regulatory.html
 
At this point everyone's information is already out there so if you change your password regularly then that's probably your best defense.

Best defense is my (patent pending) "Slob" defense.

Works for home invasions, hackers in your e-mail, car break-ins, and just about everywhere.


Nobody, including thieves, want to wade through smelly old mcdonalds wrappers, dirty laundry and old dinner plates. Same applies to your e-mail. Put those important documents onto your most spam filled e-mail account and let it get buried away. Hackers are bound to lose interest scrolling through the 1,000's of male enhancement spam before they find that one important document.
 
So, I was affected by something in this list, but it does not contain actionable information, as all it does is give me a hit against "Collection1".

What am I supposed to change ALL of my passwords on all of my sites now, just in case?? blah..
 
Lol, Outlook. People love to keep 50,000 emails "just in case they need to access them!" instead of filing away that information like an intelligent person would.

Outlook is a plague.
Well, I am one of those... And I have accessed them countless times for stuff in the past, over a year, its almost routinely, 2 or more years not uncommon for me.
 
Lol, Outlook. People love to keep 50,000 emails "just in case they need to access them!" instead of filing away that information like an intelligent person would.

Outlook is a plague.

You realize outlook is just an email client you use to access a remote email server, right?......
 
You realize outlook is just an email client you use to access a remote email server, right?......

Also Outlook didnt exist until 1992 so clearly some of the data comes from other sources...and not all of it exchange as MSMail was replaced in what...91 with exchange?
 
You realize outlook is just an email client you use to access a remote email server, right?......

Yeah. Do you know what happens to Outlook when it is attempting to store 50k emails? It breaks, horribly. Other emails clients don't have this problem. Thunderbird works great. Is your experience with Outlook limited to exchange setups? Consider yourself lucky.

If you do not stay on top of Outlook it will break in the most horrifying ways.
 
I, personally, don't have a problem using Outlook, and likely none of you do either. We're talking end users here. Real Estate agents. Office workers. Salesmen.

If you've seen 50GB psts then you understand my pain. If you haven't, you don't know how bad Outlook can get.
 
No, I would not be using outlook with non-exchange..... They are made to integrate, and that's the only instance I'd want to use outlook. But the combination of the 2 is better than any other email server/client software available at the enterprise level.

If your users have 50gb pst files, then maybe you should fix their cache settings so it only saves, say, 2 weeks locally and keeps the rest on the server.

Plus, most of the problems you presented are user error.......
 
Back
Top