Texas Comptroller's Breach Lasted About a Year

Personal Information of 3.5 Million People Exposed
Texas Comptroller's Breach Lasted About a Year
Personal information of some 3.5 million people was left exposed on a Texas state server for about one year before being detected, the state comptroller's office revealed Monday.

State Comptroller Susan Combs said there is no indication the personal data that included Social Security numbers, names and mailing addresses as well as other information, to varying degrees, such as birth dates and driver's license numbers were misused.

The comptroller has contacted the attorney general's office to conduct an investigation on the data exposure.

The state's Teacher Retirement System, Texas Workforce Commission and Employees Retirement System transferred the information to the state comptroller. The retirement system data transferred in January 2010 had records of 1.2 million education employees and retirees. The workforce commission data transferred in April 2010 had records of about 2 million individuals in their system. And the retirement system data transferred in May 2010 had records of some 281,000 state employees and retirees.

The comptroller's office said the data files transferred were not encrypted as required by Texas administrative rules, adding that personnel in the comptroller's office incorrectly allowed exposure of that data. Several internal procedures were not followed, leading to the information being placed on a server accessible to the public, and then being left on the server for a long period of time without being purged as required by internal procedures, the comptroller office said.

The mistake was discovered the afternoon of March 31, at which time the agency began to seal off public access to the files.

"The information was sealed off from any public access immediately after the mistake was discovered and was then moved to a secure location," Combs said in a statement.

State law required the information to be transferred by these agencies and used internally at the comptroller's office as part of the unclaimed property verification system.

In December, Combs issued a report, Protecting Texans' Identities: The Challenges of Securing Privacy in Transparent Government, that proposed the designation of chief privacy officers at each agency as well as the creation of an Information Security Council in the state. She said she will work with the Legislature to get her proposals enacted in law.

The comptroller's office has set up an informational website for individuals to provide additional details and recommended steps and resources for protecting identity information.

The state will send out letters Wednesday notifying affected individuals of the breach.


About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.