The department caused the data breach by negligently misconfiguring a new firewall that it was installing with the aid of a consultant, the lawsuit alleges.
The lawsuit also alleges that the department waited several weeks to notify law enforcement about the data breach, which resulted in valuable evidence being lost.
"Only after news reporters began asking questions and public exposure became inevitable did the department notify law enforcement and begin investigating the data breach," the lawsuit states. "By then, the access logs for the compromised server had been overwritten and irretrievably lost, destroying valuable evidence of the extent of the harm."
"The department, with advice from OMES (the state Office of Management and Enterprise Services), also concocted a story about a then non-existent 'active investigation' in order to avoid having to publicly admit its failure to respond to the data breach and to justify withhold(ing) information from the reporters making inquiries," the lawsuit says.
The lawsuit credits Forbes Magazine and Dale Denwalt, a reporter for The Oklahoman, with bringing information about the data breach to light.
Rattan Consulting Inc., a company hired by the Oklahoma Department of Securities to help configure the firewall, was also named as a defendant in the lawsuit filed Monday in Oklahoma County District Court.
The lawsuit was filed by former financial advisor Ryan Larson, who now lives in Utah, and Austin Mims, a financial advisor who lives in Ohio. Both stated they were registered with the Oklahoma Department of Securities and were among the more than 300,000 individuals whose personal data was exposed on the internet. They are seeking class-action status for the lawsuit so that their attorneys can represent not only them, but all the other individuals who had their data exposed.
The personal data that was exposed "included more than 30 years of files, dating back to at least 1986, containing information such as plain text passwords, system credentials, social security numbers, financial account numbers, and personal identifying information such as gender, height, weight, hair color, eye color, date of birth and state and county of birth," the lawsuit states.
The personal data was exposed over the internet for at least 13 days before the breach was detected by an outside cybersecurity research firm which notified the department, according to the lawsuit.
Larson and Mims said the department took about five months to notify them of the data breach, which increased their risk of becoming victims of identity theft.
Mims "has had multiple fraudulent inquiries and at least (one) fraudulent credit line opened in his name, and has spent hours of his time vigilantly reviewing his credit reports and contesting fraudulent activity," the lawsuit states.
The Department of Securities offered victims 12 months of identity theft monitoring, but the lawsuit claims that is inadequate because the fraudulent use of information obtained through data breaches often continues for years.
The lawsuit seeks unspecified monetary damages and injunctive relief.
©2020 The Oklahoman. Distributed by Tribune Content Agency, LLC.
