Millions of Files Leaked from Oklahoma Department of Securities Database

Discussion in 'HardForum Tech News' started by AlphaAtlas, Jan 17, 2019.

  1. AlphaAtlas

    AlphaAtlas [H]ard|Gawd Staff Member

    Messages:
    1,716
    Joined:
    Mar 3, 2018
    The UpGuard Data Breach Research team, who previously uncovered data breaches in U.S. voting systemsand an Experian partner, recently exposed a massive leak from Oklahoma's Department of Securities. The contents of the files "ran the gamut from personal information to system credentials to internal documentation and communications intended for the Oklahoma Securities Commission," but the sheer bulk of the 3TB of data is made up of Outlook backup archives dating back to at least 1999, while some data goes back to 1986. Among other things, the leak contained the social security numbers of "approximately ten thousand brokers." identifying information on over a hundred thousand brokers, sensitive medical data, credentials for various IT services, and files related to investigations and FBI interviews. While UpGuard's post wasn't particularly critical, Chris Vickery, head of research at UpGuard, told Forbes that the department's response was "irresponsible," as they "didn't check to see what was done with the mass of data downloaded by the researchers." UpGuard also found some glaring security oversights in the leaked data, such as decrypted versions of documents being stored in the same folder as encrypted versions.

    Businesses and organizations naturally accumulate stores of data, both because of the value of that data and to comply with retention policies. Creating backups is a good practice to increase resilience in the face of attacks like ransomware. Backups are also necessary for migrations to ensure data can be recovered as businesses adopt newer and more secure technologies. But as this case highlights, the final crucial step is to maintain control over every copy of those data stores. The good news is that, while the contents of the server extended over years, the known period of exposure was quite short. Thanks to the Data Breach Research team's techniques for quickly identifying risks, the exposure was identified only one week after it showed up in Shodan's catalogue of global IP addresses. Shortening the window of exposure reduces the likelihood of other parties accessing the data and enables its owners to take responsive measures before the data is used maliciously.
     
  2. PantherBlitz

    PantherBlitz Limp Gawd

    Messages:
    422
    Joined:
    Apr 14, 2011
    It's like no one even tries to keep this stuff secure.
     
    drescherjm, mynamehere and Eshelmen like this.
  3. BloodyIron

    BloodyIron 2[H]4U

    Messages:
    3,465
    Joined:
    Jul 11, 2005
    Your tax dollars, hard at work... Eroding your democracy... :/
     
  4. N4CR

    N4CR 2[H]4U

    Messages:
    3,466
    Joined:
    Oct 17, 2011
    Wonder what it has about the bombing..
     
    Eshelmen likes this.
  5. Rahh

    Rahh [H]ard|Gawd

    Messages:
    1,615
    Joined:
    Jan 14, 2005
    At this point everyone's information is already out there so if you change your password regularly then that's probably your best defense.
     
  6. Gweenz

    Gweenz [H]ard|Gawd

    Messages:
    1,220
    Joined:
    Dec 18, 2003
    Lol, Outlook. People love to keep 50,000 emails "just in case they need to access them!" instead of filing away that information like an intelligent person would.

    Outlook is a plague.
     
  7. Dead Parrot

    Dead Parrot 2[H]4U

    Messages:
    2,361
    Joined:
    Mar 4, 2013
    I wonder if the OK Dept of Securities IT section has been assimilated by OMES yet? Many years ago there was a OK legislative mandate to consolidate all IT into one central agency which wound up being called OMES. During one of the assimilation meetings with the agency I used to work for(not the Dept of Securities), OMES leadership said our Help Desk response time of a 2 hour callback set too good of a standard. Turns out the OMES standard was a 5 day call back. This wasn't a have a solution time frame, just the time allowed for a tech to contact the person filing the trouble ticket. If they applied the same vigor toward security, could well explain this screw up.

    Link to the OMES page showing the OK Dept of Securities: https://www.ok.gov/cio/Business_Segments/Regulatory.html
     
  8. DNMock

    DNMock Limp Gawd

    Messages:
    406
    Joined:
    Apr 16, 2015
    Best defense is my (patent pending) "Slob" defense.

    Works for home invasions, hackers in your e-mail, car break-ins, and just about everywhere.


    Nobody, including thieves, want to wade through smelly old mcdonalds wrappers, dirty laundry and old dinner plates. Same applies to your e-mail. Put those important documents onto your most spam filled e-mail account and let it get buried away. Hackers are bound to lose interest scrolling through the 1,000's of male enhancement spam before they find that one important document.
     
    craigdt likes this.
  9. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    27,656
    Joined:
    Oct 29, 2000
    So, I was affected by something in this list, but it does not contain actionable information, as all it does is give me a hit against "Collection1".

    What am I supposed to change ALL of my passwords on all of my sites now, just in case?? blah..
     
  10. HAL_404

    HAL_404 Limp Gawd

    Messages:
    236
    Joined:
    Dec 16, 2018
  11. Uvaman2

    Uvaman2 2[H]4U

    Messages:
    2,917
    Joined:
    Jan 4, 2016
    Well, I am one of those... And I have accessed them countless times for stuff in the past, over a year, its almost routinely, 2 or more years not uncommon for me.
     
  12. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,169
    Joined:
    Nov 16, 2009
    You realize outlook is just an email client you use to access a remote email server, right?......
     
    GoldenTiger likes this.
  13. kju1

    kju1 2[H]4U

    Messages:
    3,160
    Joined:
    Mar 27, 2002
    Also Outlook didnt exist until 1992 so clearly some of the data comes from other sources...and not all of it exchange as MSMail was replaced in what...91 with exchange?
     
    GoldenTiger likes this.
  14. Gweenz

    Gweenz [H]ard|Gawd

    Messages:
    1,220
    Joined:
    Dec 18, 2003
    Yeah. Do you know what happens to Outlook when it is attempting to store 50k emails? It breaks, horribly. Other emails clients don't have this problem. Thunderbird works great. Is your experience with Outlook limited to exchange setups? Consider yourself lucky.

    If you do not stay on top of Outlook it will break in the most horrifying ways.
     
  15. Gweenz

    Gweenz [H]ard|Gawd

    Messages:
    1,220
    Joined:
    Dec 18, 2003
    I, personally, don't have a problem using Outlook, and likely none of you do either. We're talking end users here. Real Estate agents. Office workers. Salesmen.

    If you've seen 50GB psts then you understand my pain. If you haven't, you don't know how bad Outlook can get.
     
  16. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,169
    Joined:
    Nov 16, 2009
    No, I would not be using outlook with non-exchange..... They are made to integrate, and that's the only instance I'd want to use outlook. But the combination of the 2 is better than any other email server/client software available at the enterprise level.

    If your users have 50gb pst files, then maybe you should fix their cache settings so it only saves, say, 2 weeks locally and keeps the rest on the server.

    Plus, most of the problems you presented are user error.......