A massive data breach at the Texas state comptroller’s office publicly posted the names and Social Security numbers of 3.5 million residents for nearly a year. In some cases dates of birth and driver’s license numbers were also accessible until the breach was discovered March 31.
The comptroller’s office will begin notifying state workers and retirees tomorrow (April 13) that their information may have been accessed after their records were “inadvertently disclosed on an agency server that was accessible to the public,” State Comptroller Susan Combs wrote in a press release.
“I deeply regret the exposure of the personal information that occurred and am angry that it happened,” Combs wrote. “I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered and was then moved to a secure location.”
The mistake occurred after the comptroller’s office asked three groups – the Teacher Retirement System of Texas, the Texas Workforce Commission and the Employees Retirement System of Texas – to transfer their databases, containing records of about 3.5 million state employees and retirees, to the comptroller’s server.
The three agencies did so in the first half of 2010 but forgot to encrypt the data. The comptroller’s office then neglected to follow its own systems of checks and balances, which included encrypting the data, placing it on a secure server and deleting it after seven days.
“We had the procedures and protocols in place, but they were not followed,” comptroller spokesperson Allen Spelce told SecurityNewsDaily. “That’s what led to the exposure.”
After nearly a year, the comptroller found and sealed off the publicly accessible sensitive information this past March 31, and contacted the Attorney General’s Office and the FBI to begin investigating if any of the data had been misused.
So far, Spelce said, there is “no evidence of any misuse of the data.”
Spelce told SecurityNewsDaily that the comptroller employees responsible for the security lapse were fired yesterday morning (April 11).