Huge Oklahoma data breach exposes 7 years of FBI investigations

Researchers have disclosed a huge leak of government data stemming from the Oklahoma Securities Commission. In total, roughly 3 TB of data was exposed, including millions of files, many of which pertained to FBI investigations.

Commenting on the news are the following cybersecurity professionals:


From Warren Poschman, senior solutions architect at comforte AG:

“It seems these days that having a breach is almost becoming as common as having a breakfast every morning.  What’s disconcerting is that unlike a restaurant with poor Yelp reviews, countermeasures against poor IT practices aren’t stopping organizations from being repeat customers with the same bad service as it were.  While we have all heard many headlines concerning major retail or consumer organizations, one area that is often overlooked but is equally, if not more, vulnerable are state and local governments.  Not only do they have incredibly large caches of personally identifiable data but they also often have inadequate security measures run by poorly funded IT departments.


The US State of Oklahoma, commonly abbreviated as “OK”, was far from “ok” as it turned out.  Not only were they using insecure methods to transfer FBI investigative data spanning the last 40 years, they also left it open for up to seven years.  While it is not clear how much of this data may have been acquired and sold on the dark web, what is clear is that if a data-centric security approach had been taken, the turn of events could have been dramatically different.  A data-centric security approach would have allowed for the most sensitive bits in that dataset to be protected and replaced with tokens.  Instead of having valuable data and sensitive files stolen, the use of tokens would have rendered the data useless to potential attackers turning a disaster into a simple oversight.


Secure tokenization allows you to replace one data bit with a unique token that only you can, if necessary, detokenize later.  And, what’s even better is that if (or is it when?) someone gets through your perimeter security you’ll be able to rest easy knowing that the data itself is protected no matter where it is taken, used, or moved to.   It’s time that we look closely at our local and state governments – I am sure that there are other states and cities that are not “A-ok” out there, where a simple change to using data-centric security could be used.  And, as we scroll through the morning news over our breakfast tomorrow we won’t have to wonder how much of our data might be vulnerable or mismanaged.”



From Javvad Malik, security advocate at AlienVault:


“Cloud applications and services bring a great deal of convenience. Large amounts of data from disparate sources can easily be uploaded, stored, and analysed. However, with this convenience comes the danger that it is equally as easy to misconfigure, exposing otherwise private information publicly. It can be a relatively simple error to make, which is why it is important for companies to have assurance checks in place to ensure that all systems are configured as required.”


From Anjola Adeniyi, cybersecurity consultant at Securonix


“A quick look at shows the Oklahoma Securities Commission is still not following one of the most basic steps to protecting a website, such as using TLS encryption. It therefore isn’t shocking that such an organisation missed the boat on basic Cyber Hygiene. This has a lot to say about its Cyber Security culture, and it’s needless to say that a government organisation with a regulatory role could and should have done better.


As the saying goes – “there are only 2 types of organisation: those who know have been hacked, and those who don’t know they’ve been hacked.” If the data was “accessible to anyone with an internet connection” chances are they have already been accessed by unintended parties.


Data breaches involving Personally Identifiable Information (PII) often lead to huge fines, reputation damage, loss of trust, employee dissatisfaction and attrition, and huge clean up costs. Its impact to the individual is enormous from identity theft to financial compromise, and the list goes on.”


From Suzanne Spaulding, Nozomi Networks Adviser & former DHS Under Secretary 


We need to stop making it so easy for hackers and bad actors who are simply using tools that have been around for years. For example, hackers use a tool called Shodan that allowed anyone to scan the Internet, looking for devices and computers, connected to the Internet, but not protected–sites like the one that was hacked in Oklahoma. This is one of the ways they find industrial control systems that are connected to the public Internet.”


“The three terabytes of unprotected data from the Oklahoma Securities Commission amounts to millions of sensitive files, all of which were left wide open on a server with no password, accessible to anyone with an Internet connection. Moreover, the website for the Oklahoma Securities Commission was using a web server that reached its end of life in July 2015 and wasn’t supported by updates to fix any known security flaws.”


“Basic cyber hygiene, like password protection, encrypting sensitive information and keeping systems and patches updated are not very difficult tasks to accomplish, or expensive to maintain, especially when compared to the cost of a breach of this size. Properly protecting your data and updating your devices before a breach can occur can make a huge difference in reducing your vulnerability.”