Oklahoma veterans' personal data was found on a private server. Here's how officials say they addressed it
An investigation by Oklahoma Cyber Command has revealed there was no leak of veterans' sensitive data that was being kept on a privately owned server.
In February, the Oklahoma Veterans Commission was notified that six databases containing veterans' personally identifiable information, including Social Security numbers, was being kept on a site outside of the state's network. The Office of Management and Enterprise Services (OMES), which oversees the state's IT needs, launched an investigation to determine whether the databases were compromised at any point.
"We greatly appreciate OMES and their resolve to get to the bottom of this potentially serious situation in a swift, yet thorough manner" said Greg Slavonic, the Oklahoma Department of Veterans Affairs' interim executive director. "While it was discovered that the potential for a breach existed, we are relieved to learn that no data was in fact compromised."
What happened to cause the security concern?
In a report to leadership at the Veterans Affairs Department, OMES confirmed that sensitive personal information was found on a server that was previously used by the department. The server was used by the agency before 2020, when oversight of the applications that used those databases were migrated to OMES control.
One year ago, a Veterans Affairs Department employee first raised concerns that information was being kept in a way that did not meet the state's standard for sensitive data. During the OMES investigation, Cyber Command learned that six databases with sensitive data were still on the private server, which was being paid for with a state employee's personal credit card.
As of February, the server was still active and under control of the employee who said he wasn't aware that the information was still being stored there. Once he learned about the wayward data, it was removed, the Veterans Affairs Department said.
Cyber Command began monitoring the dark web for any evidence that the personal information was being offered for sale. The investigation found that while some internet traffic was being routed to the server, there was no indication that anyone downloaded the information.
Much of the state's digital infrastructure is now managed by OMES, with threats to the system defended by the agency's Cyber Command unit. By leaving sensitive data on a server outside OMES, officials were worried about the risk of a data breach that could not be mitigated by Cyber Command.
More: Just how weak are your computer passwords? Pretty weak if you're in certain businesses
“Thank you to Rear Admiral Slavonic for bringing in OMES Oklahoma Cyber Command to quickly investigate and protect sensitive ODVA information," said Jerry Moore, state chief information officer and OMES deputy director. "We found no evidence that Oklahoma veterans' data was compromised, and the systems have since been secured and now operate within the state security standards."
During his report to the Veterans Commission in February, Moore told the commission that in his three years on the job, he'd never come across anything like what he found at the Veterans Affairs Department.
"We frequently come across legacy technology that is not managed to the current standard, but I've never encountered one that's outside of the agency's control," Moore said.
During that meeting, commissioners asked Moore for specifics about the risks of keeping personal information in this manner.
"The scary part of this is that I can't answer that question because it's outside of the state's control," Moore replied.
This article originally appeared on Oklahoman: Oklahoma veterans data on private server not compromised, state says
