Here’s another case where there’s a long gap between discovery of an incident and notification to individuals.
The Oklahoma Department of Securities had an incident that began Nov. 29, 2018. It was discovered December 11, 2018. On January 16, 2019, the agency issued a statement saying:
The Oklahoma Department of Securities (ODS) has initiated a comprehensive review of the circumstances surrounding an incident involving the inadvertent exposure of information during installation of a firewall. An accidental vulnerability of limited duration to a server containing archived data was discovered and immediately secured. The ODS has notified law enforcement and OMES regarding the incident. A forensic team is currently conducting an analysis to determine the type and number of data files that may have been exposed and who may have accessed them. The ODS is also exploring remedial actions and notifications for anyone whose information may have been exposed. The ODS is reviewing internal procedures, controls and security measures to ensure such incidents cannot occur in the future.
The Department intends to make no further comment until the investigation is concluded and pertinent facts are established.
There is no update on their website, but I found something on the Attorney General of Oregon’s site that the Oklahoma Dept. of Securities had sent notifications to consumers on May 10, 2019.
Until we see an update from Oklahoma, we are still missing any details as to what the investigation found and what kinds of information were exposed, accessed, and/or acquired. Nor do we know how many individuals were potentially affected. But we also don’t know why it took from Dec. 11, 2018, when they discovered the breach, until May 10 to send notifications to consumers? Does that seem like an acceptable gap to you?
This post may be updated if or when the department provides more details on their site or issues a new press release.
Update: The following template was provided to the California Attorney General’s Office. It doesn’t really provide any additional details other than that they are offering those affected some complimentary credit monitoring protection.
UPDATE 2: I’d totally forgotten that this leak had been found and reported by UpGuard. Apologies for not mentioning their role sooner. You can read more about what types of data were on the leaky backup in their report.ODS - Notice to Consumers_0