An Oklahoma Department of Securities (ODS) server allowed anyone to download the government files. ODS is a US government department which deals with securities cases and complaints.
“The data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services (OMES), allowing any user from any IP address to download all the files stored on the server,” the researchers say.
Last December, millions of files and thousands of Social Security numbers were left unprotected and accessible to anyone with an internet connection, cybersecurity researchers found. The breach was uncovered last month by Greg Pollock, a cybersecurity researcher at UpGuard, who claims the millions of files were publicly available on an online server and didn’t require any password to access them. UpGuard, an Australian cybersecurity startup was founded in 2012. “It represents a compromise of the entire integrity of the Oklahoma Department of Securities’ network,” UpGuard’s Chris Vickery told Forbes, the first outlet that reported the breach. “It affects an entire state level agency. … It’s massively noteworthy.” The database was found through the Shodan search engine which registered the system as publicly accessible on 30 November 2018. The UpGuard team stumbled across the database on 7 December and notified the department a day later after verifying what they were working with. UpGuard said, “public access was removed that day, preventing any further downloads by the means used by the UpGuard analysts.” UpGuard said the data was “generated over decades” with the oldest data being from 1986. The most recently-modified information was from 2016.