The Oklahoma Department of Securities is the latest governmental body to report a breach. This time over a million files consisting of department files and FBI investigation records were disclosed via an open server, making it all available to the public. A security researcher of UpGuard discovered the vulnerability in security. Additionally, there was access to the following personal data:
- Emails going back 17 years with personal data such as social security numbers included.
- Life insurance data.
- Names of Patients with AIDs.
- Interviews with witnesses.
- Bank records.
- Data pertaining to witnesses.
The breach compromised a total of 3TB of data.
In December the security researcher did not enter a password to gain access into the server. Companies affected included Goldman Sachs and the Lehman Brothers, UpGuard notified the Department who swiftly removed public access.
Similar Events in China
This comes after the compromise of Chinese jobseekers CVs. This added up to 854 GB of data. In the last weeks of December 2018, weak security led to the exploitation of another system, this time a database. The South China Morning Post reported a US-based database in China was allegedly responsible. However other claimed bj.58.com was responsible. It is still not known who is accountable.
Data leaked included names of job seekers, addresses, contact information as well as their educational and occupational background.
The organisation accountable for the database shortly took the database offline after HackenProof reported their findings.
Lessons for organisations to take from these breaches include implementing practices such as password management, have someone responsible for ensuring all these measures are in place and have policies detail this requirement. The policy should be managed and organisations should check staff are complying with it. Access control was another weak area in both cases. Implementing and monitoring access control will preserve the confidentiality of data.