Security Market Segment LS
Thursday, 17 January 2019 09:17

US state's securities dept leaves 1m files exposed

US state's securities dept leaves 1m files exposed Courtesy UpGuard

More than a million files belonging to the Department of Securities in the US state of Oklahoma were exposed to public view for an unknown period, the security firm UpGuard says, before they were secured after the department was notified by the company on 8 December 2018.

A blog post said the files included personal information, system credentials, internal documentation and communications intended for the Oklahoma Securities Commission.

The server in question was running an ancient version of Microsoft's Internet Information Server — IIS 6.0 — that had reached its end-of-life in July 2015.

The unsecured data was found using Shodan, a search engine for Internet-facing IP addresses, which showed that the data had been publicly accessible at least from 30 November last year.

UpGuard said the metadata of the files showed that their dates ranged from 1986 to to 2016. They were exposed through an unsecured rsync service at an IP registered to the Oklahoma Office of Management and Enterprise Services.

Among the information on the server was the following personal information:

  • One Microsoft Access database containing information on approximately 10,000 brokers, including their social security numbers.
  • A CSV with the partial name “IdentifyingInformation.csv” containing the date of birth, state of birth, country of birth, gender, height, weight, hair colour, and eye colour for over a hundred thousand brokers.
  • A database related to viators, a financial vehicle through which terminally ill patients can sell their life insurance benefits, contained information related to people with AIDS including patient names and T cell counts.

The following system credentials were also exposed:

  • VNC credentials for remote access to Oklahoma Department of Securities workstations.
  • A BlueExpress database of credentials for third parties submitting securities filings.
  • A spreadsheet of IT services with the usernames and passwords for accounts with Thawte, Symantec Protection Suite, Tivoli, and others.

The department closed off access to the server that same day it was notified.


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments