FBI records exposed in breach of Oklahoma state agency
A leak of FBI records, including letters from subjects and witnesses involved in criminal law enforcement investigations, resulted from an Oklahoma state agency leaving millions of documents on a publicly accessible internet server, cybersecurity researchers revealed Wednesday.
The Oklahoma Department of Securities (ODS) acknowledged the breach in a press release issued after UpGuard, a Silicon Valley-based security firm, detailed how it discovered and subsequently secured a wide-open server belonging to the agency containing FBI records dating back to 2012.
“It represents a compromise of the entire integrity of the Oklahoma Department of Securities’ network,” said Chris Vickery, UpGuard’s head of research.
“It affects an entire state level agency,” Mr. Vickery told Forbes, where the breach was first reported. “It’s massively noteworthy.”
The data was inadvertently exposed during installation of a firewall, ODS said later Wednesday. Law enforcement authorities have been notified about the incident, and a forensic team “is currently conducting an analysis to determine the type and number of data files that may have been exposed and who may have accessed them,” the agency said in a press release.
UpGuard said it was uncertain how long the documents had been online, but that Shodan, a search engine used to find internet-facing IP addresses, first registered the data as being publicly accessible on Nov. 30, 2018. UpGuard contacted Oklahoma on Dec. 8, and public access was removed that day, according to the blog post.
Among the data found on the server by UpGuard were FBI records containing “all sorts of archive enforcement actions” dating back seven years,” Mr. Vickery told Forbes.
The data included “copies of letters from subjects, witnesses and other parties involved in FBI investigations,” the outlet reported. In a blog post, UpGuard said the server contained spreadsheets detailing the timelines of specific FBI probes and people interviewed, among other files
“As a result of neglecting basic security measures, anyone with an internet connection could have access to the server, making it extremely easy for hackers to compromise the data,” said Fred Kneip, the CEO of CyberGRX, a Colorado-based risk assessment firm.
“To combat this, government and large corporate organizations must implement ironclad passwords across any server that contains sensitive information, and ensure that their affiliate organizations and third parties are adhering to the same standards,” he reacted.
An FBI spokesperson said the Department of Justice policy prohibits the bureau from confirming or denying the existence of an investigation into the incident, Forbes reported.