A backup server run by the Oklahoma Department of Securities had exposed terabytes of sensitive data. The server was misconfigured. Millions of sensitive records were released. Citizens of Oklahoma were notified that their identities may have been compromised.
What I want you to realize is that the State of Oklahoma is NOT the only organization with misconfigured servers. When we are asked to assess an organization’s security, nearly 9 times out of 10 they have a server that is misconfigured leaving them vulnerable to a ransomware attack or data breach.
The server at Oklahoma Department of Securities was discovered in early December of last year. The simple mistake was that it was set to public access—allowing anyone to ping it and get information out of it. If a hacker was scanning organizations for open ports or ways to get in, this would be the equivalent of a box office at the movies giving away free seats.
What made this specific data breach worse is that there were three terabytes of data being stored on it—personal contact information, system credentials, internal documentation and sensitive information that had been intended on being accessible to only a few eyes.
And just for you to wrap your head around what a terabyte really is—think millions of files being open to anyone that wanted them! Data that had been collected and stored over the course of three years wide open to criminals looking to steal identities.
Think about how having one single misconfiguration like this could happen in your organization.
It just takes one.
What if your IT guy was busy doing ten different things? Janice from accounting had an issue with Excel—it wouldn’t open. Your marketing team wanted help fooling around with the website, but wanted you to make the changes (they didn’t feel comfortable making them in case they accidentally changed something else unexpectedly). Your HR team sent in emergency requests to add three new users and Operations needed 3 new computers prepped for their users. This IT guy’s day just got blown up. Probably that listed work—none of which is out of scope for that IT guy—would take him nearly a day to complete.
Now realize that when he was disrupted to add those new users—an emergency request—he was working on your server trying to evaluate configurations. He was looking at permissions on that server when HR called. Accidentally (because he was distracted by something else) he ended up configuring your server to outwardly publish all of its information—3 terabytes worth of records. You were storing medical information (as your company does processing for local healthcare offices).
Think of 3 terabytes of data leaking out to the ethos, some or all getting picked up by hackers. You have no idea where that data went, who had it and what was to happen because of it.
It might take days—or even years—before the paper trail of evidence slowly leaks back to your organization. Your IT guy might not have known that that leak was occurring for weeks, months, or even years.
My question to you: can you risk having your business data—or business network—vulnerable to ransomware attacks or breaches simply because of a wrong click?
Contact us today for a free ransomware vulnerability assessment.
