May 132019
 

Here’s another case where there’s a long gap between discovery of an incident and notification to individuals.

The Oklahoma Department of Securities had an incident that began Nov. 29, 2018. It was discovered December 11, 2018.  On January 16, 2019, the agency issued a statement saying:

The Oklahoma Department of Securities (ODS) has initiated a comprehensive review of the circumstances surrounding an incident involving the inadvertent exposure of information during installation of a firewall. An accidental vulnerability of limited duration to a server containing archived data was discovered and immediately secured. The ODS has notified law enforcement and OMES regarding the incident. A forensic team is currently conducting an analysis to determine the type and number of data files that may have been exposed and who may have accessed them. The ODS is also exploring remedial actions and notifications for anyone whose information may have been exposed. The ODS is reviewing internal procedures, controls and security measures to ensure such incidents cannot occur in the future.
The Department intends to make no further comment until the investigation is concluded and pertinent facts are established.

There is no update on their website, but I found something on the Attorney General of Oregon’s site that the Oklahoma Dept. of Securities had sent notifications to consumers on May 10, 2019.

Until we see an update from Oklahoma, we are still missing any details as to what the investigation found and what kinds of information were exposed, accessed, and/or acquired. Nor do we know how many individuals were potentially affected. But we also don’t know why it took from Dec. 11, 2018, when they discovered the breach, until May 10 to send notifications to consumers? Does that seem like an acceptable gap to you?

This post may be updated if or when the department provides more details on their site or issues a new press release.

Update: The following template was provided to the California Attorney General’s Office. It doesn’t really provide any additional details other than that they are offering those affected some complimentary credit monitoring protection.

UPDATE 2: I’d totally forgotten that this leak had been found and reported by UpGuard. Apologies for not mentioning their role sooner. You can read more about what types of data were on the leaky backup in their report.

ODS - Notice to Consumers_0

  16 Responses to “Update: Oklahoma Dept of Securities notifying individuals affected by 2018 security incident”

  1. I received a letter like like this with precautionary steps to take. But it does not tell me what department is responsible or how it happened, only that my name and social security number has possibly been subject to the data breach.

  2. Just received my letter. Lovely that the State of OK uses a P.O. box from Claysburg PA. Trust worthy?

    • @pissed off, I was concerned about that exact same thing! Also, the phone number to call for more information is to Experian, and they never answer. I finally HAD to hang up after being on hold for over 30 mins with some type of off country/banjo music playing for hold music.

      • If it helps, I called the # and they answered in one ring? It was a nice gent, but he was with Experian directly and suggested I google search the organization.

    • I just received a notice with claysburg, PA PO Box as well…. thoughts?

  3. I received this letter too and its just scare tactic marketing piece. At the bottom of the first page, it says: If you have additional questions or concerns, please call our toll-free dedicated assistance line at 866-506-788…. Sincerely The Oklahoma Department of Securities. This number is not related to The Oklahoma Department of Securities but to Experian customer care who is offering a complimentary 12 month membership to their credit watching services with detailed information about your “membership”. They’ve simply cut/pasted their rehashed advertisement pitch under the logo of the Oklahoma Department of securities.

    Experian should be investigated/fined for exploiting known data breaches and for their deceptive marketing tactics to scare people into trial membership for their services.

    Here’s another letter about an Ithaca College data breach (with the same return PO Box as this letter): https://ago.vermont.gov/wp-content/uploads/2018/04/Ithaca-College-Notice-of-Data-Security-Breach-to-Consumers.pdf

    And another one from a bank: https://media.dojmt.gov/wp-content/uploads/1st-Mariner-Bank.pdf

    Look familiar?

    • I’m going to jump in here because it’s clear people are confused about some of this.

      Oklahoma paid for and arranged for Experian to provide those affected with services. So Oklahoma put Experian’s phone number as the number to call for assistance.

      That type of thing is done EVERY DAY by breached entities. This is not Experian doing anything wrong. They probably bid on getting the contract with the state. The only thing Experian seems to be doing wrong is not answering their phone when people are calling them.

  4. I too received the letter, but am unsure how OK was able to obtain any personal info of mine. Letter says name & SSN were exposed. Would have expected instructions on how to delete my file with them since it is a risk I do not wish to continue. The letter looks pretty convincing but also shady (POBox in PA, ‘Department’ instead of ‘ODS’, no explanation of where they got my personal info or why, enough info and instructions to confuse most folks, etc)

    • I believe OK had my info from my licensing with FINRA. I have a series 6 and 63 which we have to file with each state. I knoe many who hold these license at my work(we are in KS) have gotten the same letter.

      Are you registered through FINRA? Could this be where they got your info from too?

  5. I think this is total fraud.
    The 866 number provided to call them is the number for Experian.

  6. I just called the Oklahoma Department of Securities, (405) 280-7700, selected Option 5, and spoke to a lovely woman who was working late. As much as it seems it’s a fraudulent letter, it is real. The OK Department of Securities hired an outside service to mail out the notifications. Turns out if you are or were Securities Licensed and/or Blue Skied in Oklahoma you are on their list of possible breached information.

    As we discussed the letter, I told her that I have lived in Los Angeles my entire working career and was just “Blue Skied” in Oklahoma many years ago through my Broker Dealers. She assured me the letter is real and it would be in my best interest to take precautionary the steps.

    As a side note, if you don’t want to utilize the information on the letter, another option is to freeze your credit files with the three agencies. There’s no cost and it lasts forever.

  7. This is my 3rd session on hold for over 15 minutes..to sign up for Experian Indentity y Works account. No one picks up. On line activation says my code is invalid. This is a joke and a total waste of time.

  8. Intially upon receiving letter and having no none finacial ties to Oklahoma companies, etc., was concerned RE fraud. Checked with my banks, etc., no issues. Called # (Experian), lengthy hold so I called Oklahoma D of Sec. Nice guy but no help. Connected to Experian, signed up as I recommend you do. No $$, auto stop in 12 months, no renewal automatically (like they did before) or otherwise.
    I AM concerned about which entity had my data to begin with…will continue to investigate.

  9. This is real. Looks like there is a class action lawsuit in the works: [url deleted by Dissent]

    Note from Dissent: Sorry, but I don’t allow links to sites where the sole purpose is to sign people up for class action lawsuits. I don’t believe in giving attorneys free advertising on my site. 🙂

  10. I received this letter from the OK Dept. of Securities and called them directly. The person i spoke with told me that the letter was, indeed, legitimate!! The address in PA is a mail service recommended by the Philly law firm utilized by OK Dept of Securities (and by a number of other entities, also).

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

This site uses Akismet to reduce spam. Learn how your comment data is processed.