Security Market Segment LS
Thursday, 17 January 2019 09:17

US state's securities dept leaves 1m files exposed

US state's securities dept leaves 1m files exposed Courtesy UpGuard

More than a million files belonging to the Department of Securities in the US state of Oklahoma were exposed to public view for an unknown period, the security firm UpGuard says, before they were secured after the department was notified by the company on 8 December 2018.

A blog post said the files included personal information, system credentials, internal documentation and communications intended for the Oklahoma Securities Commission.

The server in question was running an ancient version of Microsoft's Internet Information Server — IIS 6.0 — that had reached its end-of-life in July 2015.

The unsecured data was found using Shodan, a search engine for Internet-facing IP addresses, which showed that the data had been publicly accessible at least from 30 November last year.

UpGuard said the metadata of the files showed that their dates ranged from 1986 to to 2016. They were exposed through an unsecured rsync service at an IP registered to the Oklahoma Office of Management and Enterprise Services.

Among the information on the server was the following personal information:

  • One Microsoft Access database containing information on approximately 10,000 brokers, including their social security numbers.
  • A CSV with the partial name “IdentifyingInformation.csv” containing the date of birth, state of birth, country of birth, gender, height, weight, hair colour, and eye colour for over a hundred thousand brokers.
  • A database related to viators, a financial vehicle through which terminally ill patients can sell their life insurance benefits, contained information related to people with AIDS including patient names and T cell counts.

The following system credentials were also exposed:

  • VNC credentials for remote access to Oklahoma Department of Securities workstations.
  • A BlueExpress database of credentials for third parties submitting securities filings.
  • A spreadsheet of IT services with the usernames and passwords for accounts with Thawte, Symantec Protection Suite, Tivoli, and others.

The department closed off access to the server that same day it was notified.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments