A cybersecurity research team discovered millions of files unsecured and open to the public on a server belonging to the Oklahoma Department of Securities, it reported Wednesday.
The UpGuard Data Breach Research team said it found three terabytes and millions of files that could have been accessed by virtually anyone. The data included names of AIDS patients, details about FBI investigations and personally identifiable information about 100,000 financial brokers.
The research group reported the vulnerability to the department. It’s not known whether anyone else accessed the data.
According to UpGuard’s report, it appears the server has been active since at least November. The cybersecurity researchers found the server on Dec. 7, and notified the department the next day. Public access to the server was removed immediately, UpGuard said, and the data was only vulnerable for about a week.
The data found on the server includes information about those involved in the exchange of financial securities, including organizations and individuals. According to the report, it appears the oldest data was generated in 1986 and it was most recently modified in 2016.
One database contained about 10,000 social security numbers of brokers.
Another document contained birth info, gender and other identifying characteristics like eye color for 100,000 brokers.
UpGuard also reported it found a database that contained information about people with AIDS who were selling life insurance benefits, including names and T cell counts.
For the past eight years, the state has attempted to consolidate its IT infrastructure under one umbrella, a department within the Office of Management and Enterprise Services. Unlike most other state agencies, the Oklahoma Department of Securities opted not to consolidate.
OMES is in the process of reaching out to the Securities Department and urging them to contact the FBI. An OMES spokeswoman said the Oklahoma Cyber Command had no visibility of the Securities Department’s computer systems and did not vet the vendor the department chose.
A representative for the Securities Department could not be reached for comment.
This kind of breach-and-report activity is used by white-hat hackers to expose and correct vulnerabilities that could lead to a personal data theft. UpGuard also provides cybersecurity services.
The group’s report notes that the Securities Department’s website appears to be the least secure of all sites with an ok.gov address. UpGuard found the site was running a on a web server that is no longer supported by its manufacturer, which could allow a malicious hacker to take control.
UpGuard said it found passwords that could let hackers remotely access Securities Department workstations. A spreadsheet contained login information and passwords for several internet services, including antivirus software.