An investigation is underway into the reported breach of millions of files of state data. The State Department of Securities confirmed what it called an “inadvertent” release of data but it’s unclear if the data might have involved matters related to the energy industry in Oklahoma.
However, a report by KFOR TV indicated the original notification of the release was made in December by the cybersecurity firm called UpGuard. It reportedly indicated that millions of files were left unsecured and included social security numbers, names and addresses of state employees and information of AIDS patients.
“The Oklahoma Department of Securities (ODS) has initiated a comprehensive review of the circumstances surrounding an incident involving the inadvertent exposure of information during installation of a firewall.,” explained the department in a statement on Wednesday.
“An accidental vulnerability of limited duration to a server containing archived data was discovered and immediately secured. The ODS has notified law enforcement and OMES regarding the incident,” continued the ODS statement.
The Securities Department reacted quickly after being notified by UpGuard and removed public access to the unsecured pathway. It was reported that 3 terabytes of data had been left unprotected.
KFOR indicated that sensitive information from FBI investigations had also been compromised including spreadsheets of interviews, investigation timelines and letters from witnesses and other subjects.
“By the best available measures of the files’ contents and metadata, the data was generated over decades, with the oldest data originating in 1986 and the most recent modified in 2016,” wrote UpGuard researchers in their report on the breach.
Here is the complete statement from the Department of Securities.
The Oklahoma Department of Securities (ODS) has initiated a comprehensive review of the circumstances surrounding an incident involving the inadvertent exposure of information during installation of a firewall. An accidental vulnerability of limited duration to a server containing archived data was discovered and immediately secured. The ODS has notified law enforcement and OMES regarding the incident. A forensic team is currently conducting an analysis to determine the type and number of data files that may have been exposed and who may have accessed them. The ODS is also exploring remedial actions and notifications for anyone whose information may have been exposed. The ODS is reviewing internal procedures, controls and security measures to ensure such incidents cannot occur in the future.
The Department intends to make no further comment until the investigation is concluded and pertinent facts are established.