OKLAHOMA CITY – A class action lawsuit has been filed against the state Department of Securities over a security breach in which one of the agency’s computer servers published – “in plain text to anyone with internet access” – personal information, including names and Social Security numbers, of more than 305,700 individuals.
Third-party cyber security researchers discovered the data breach in December 2018 and notified the department and its information technology consultant, Rattan Consulting Inc. The “minor misconfiguration” that “apparently caused this trea- sure trove of highly sensitive information to be published online” was corrected “within 10 minutes” by the Securities Department and Rattan, the lawsuit petition claims.
Nevertheless, only after reporters with Forbes magazine and an Oklahoma newspaper “began asking questions and public exposure became inevitable” did the department notify law enforcement officers and begin investigating the data breach.
By then, access logs for the compromised computer server had been “overwritten and irretrievably lost, destroying valuable evidence of the extent of the harm caused by the data breach,” the plaintiffs allege. Forbes reported that the data breach involved three terabytes of unprotected data; that’s equivalent to approximately 194 million pages of information, the plaintiffs report in their lawsuit.
At least one unauthorized third party accessed the confidential information on the department’s server, the plaintiffs allege.
And shortly after the investigation began, the department “started referring to the data breach internally as a ‘hacking’ incident,” the lawsuit claims.
Moreover, the department did not notify the “breach victims” until several months later, records reflect. In mid- April 2019 the victims were informed the department “confirmed that your information was contained within the compromised server.” The two plaintiffs allege that they weren’t notified of the data breach until each received a letter from the Securities Department dated May 9, 2019.
The Securities Department “did not disclose the causes of the data breach, when the breach started, or why it took the department five months to notify” the victims, the lawsuit declares.
“While continuing to use known obsolete computer systems likely contributed to the data breach,” the plaintiffs contend, “an added cause was a combination of the negligence and failure of the department’s IT, staff, and Rattan, to adequately set the rules for a new firewall – something that should have taken just a few minutes of attention.”
The lawsuit relates that in 2015 the Oklahoma Cyber Command linked to an article from its media page that quoted state officials as acknowledging that state computers were attacked more than 11,000 times per week by cyber hackers.
The class-action lawsuit was filed earlier this month in Oklahoma County District Court by Ryan Larson and Austin Mims.
Larson is a resident of Sunset, Utah, who formerly worked as a financial adviser and was registered with the Oklahoma Department of Securities. He contends he is “now at a significantly higher risk of identity theft” because of the data breach.
Mims is a resident and citizen of Hinckley, Ohio. He works as a financial adviser and is registered with the Oklahoma Securities Department. Since the data breach Mims has had “multiple fraudulent inquiries and at least one fraudulent credit line opened in his name, and has spent hours of his time vigilantly reviewing his credit reports and contesting fraudulent activity,” he alleges. The risk is “ongoing,” he complained, “as already this year he learned of another fraudulent account” that was opened in his name and was “allowed to go delinquent.”
Mims and Larson seek unspecified but “appropriate monetary and injunctive relief,” to require the Securities Department and Rattan Consulting to pay courts costs and the expenses incurred in administering the claims, and “reasonable” attorney fees.
The Securities Department regulates securities agents, broker-dealers, and investment advisers as well as the registration of stocks, bonds, and many other types of securities. Rattan Consulting, also a defendant in the lawsuit, is based in Oklahoma City.