In addition, the exposure of personal information of 3.5 million individuals over one year cost four employees their jobs, including the head of IT and information security, the comptroller office said.
Earlier this month, the comptroller office revealed Social Security numbers, names and mailing addresses as well as other information, to varying degrees, such as birth dates and driver's license numbers were left exposed on its computers beginning in January 2010. The breach wasn't discovered until March 31 (see Texas Comptroller's Breach Lasted About a Year).
The state spent $1.2 million to notify those whose personal information was exposed, $393,000 to established a call center to offer assistance and $290,000 to retain two IT consultants - identified by the controller's office as Gartner and Deloitte - to examine the agency's information security policies and procedures, the Statesman.com reported.
The comptroller said data files transferred from three state agencies were not encrypted as required by Texas administrative rules, adding that personnel in the comptroller's office incorrectly allowed exposure of that data. Several internal procedures were not followed, leading to the information being placed on a server accessible to the public, and then being left on the server for a long period of time without being purged as required by internal procedures, the comptroller office said.
The comptroller office said it had negotiated discounts for fraud-related assistance, including credit monitoring, Social Security number protection, Internet surveillance and $10,000 of identity theft insurance with two companies.