It is one thing when a department store chain such as Target falls victim to cyber fraud, and quite another when an agency such as the Oklahoma Securities Commission falls victim to crimes of the same nature. When cybersecurity breaches turn to fraud.
In December 2018 it was discovered that the Oklahoma Securities Commission, in which tens of millions of records were supposedly safeguarded has been found to be breached. The records include nearly eight years’ worth of FBI investigations, massive email archives and thousands of Social Security numbers.
What is even more troubling was that the cyber security team that discovered the breach found that all of these millions of files were publicly available. Anyone of us could have been directed to the online server and without a password, we could have downloaded thousands of social security numbers or confidential findings of investigations or information on financial transactions and legal irregularities of companies.
The Oklahoma Securities Commission is charged with monitoring all financial security and regulations in businesses throughout the state. Also included in the massive amount of data that was breached are bank transaction histories, any enforcement actions and other confidential information.
Where ethics take over
When the cyber security team discovered the massive amount of data that had been leaked, they charge that the Oklahoma Securities Commission did not even care what happened to the data that had been downloaded by hackers.
The work of the agency’s IT people had been so sloppy that they not only left the records completely unprotected, but the passwords for computers on the state government network were also uncovered. In addition, the cyber security team found the passwords themselves were simple and relatively easy to access.
As there is such inter-connectedness between state agencies, it would not have taken experienced hackers, especially from state-sponsored players such as Russia, China or North Korea from networking into other areas of government, banking, law enforcement or security.
The data leak which has been characterized as significant, covers records and email back to more than 17 years. It is impossible to calculate the confidential or even public information accessible in that data. Clearly, the millions of email addresses alone, could be bundled, filtered and sold to players intent on loading malware on millions of computers. Obviously, email addresses are portable. The breached data may extend throughout the United States – and beyond.
The apparently tepid response to the cyber security experts is troubling to say the least and suggests that they do not feel a strong ethical bond to the very people they serve throughout the State of Oklahoma and beyond. Further, the fact that they didn’t know that all of the supposedly confidential data could be publicly accessed is quite troubling. It is more than a breach, it is an ethical scandal.
Can a cyber security breach also portray the elements of fraud? The answer, simply, is “Yes.” In the example I gave at the beginning of this post, of the Target chain, it was a sophisticated breach that bypassed their security. However, it was not a breach that was caused by indifference or a lack of responsibility. Target is a for-profit entity, and they realized the damage to consumer confidence such a breach could do.
A state agency, on the other hand, does not worry about what could happen to sales or consumer confidence. Without a strong sense of ethics and the need to maintain the integrity of the data of the citizenry, the IT department at the Oklahoma Securities Commission does not feel the same connection that a private entity might feel.
Is there a rationalization here? Absolutely. They might have carried out the simplest of all bureaucratic responses, “It’s not my job.” It is impossible to believe that no one in the commission saw the flaws in the system yet no one stepped forward. They had the need to simply collect a paycheck and not rock the boat. Perhaps there was even some bureaucratic back-stabbing going on, of disengaged government workers passively allowing those in authority to take the blame. It was an opportunity to pay back a sense of being insignificant and irrelevant.
When no one cares, people get hurt. In this case, it is the citizens of an entire state this is when cybersecurity breaches turn to fraud.