A blog post said the files included personal information, system credentials, internal documentation and communications intended for the Oklahoma Securities Commission.
The server in question was running an ancient version of Microsoft's Internet Information Server — IIS 6.0 — that had reached its end-of-life in July 2015.
The unsecured data was found using Shodan, a search engine for Internet-facing IP addresses, which showed that the data had been publicly accessible at least from 30 November last year.
Among the information on the server was the following personal information:
- One Microsoft Access database containing information on approximately 10,000 brokers, including their social security numbers.
- A CSV with the partial name “IdentifyingInformation.csv” containing the date of birth, state of birth, country of birth, gender, height, weight, hair colour, and eye colour for over a hundred thousand brokers.
- A database related to viators, a financial vehicle through which terminally ill patients can sell their life insurance benefits, contained information related to people with AIDS including patient names and T cell counts.
The following system credentials were also exposed:
- VNC credentials for remote access to Oklahoma Department of Securities workstations.
- A BlueExpress database of credentials for third parties submitting securities filings.
- A spreadsheet of IT services with the usernames and passwords for accounts with Thawte, Symantec Protection Suite, Tivoli, and others.
The department closed off access to the server that same day it was notified.