3.5 Million Personal Records Exposed on Texas Comptroller’s Server

CIO Insight Staff Avatar

Updated on:

The Texas Comptroller’s Office has disclosed that sensitive personal information belonging to at least 3.5 million residents haw been accidentally exposed, adding more uncertainty about phishing attacks and identity theft to people already jittery after Epsilon.

Social Security numbers, birthdates, driver’s license numbers, addresses and other personal information belonging to 3.5 million residents were posted to a publicly available server, Susan Combs, the Texas comptroller, said April 11. Most of the information was available for more than a year, but there was no indication that any of the information had been misused, Combs said.

An undisclosed number of employees in the comptroller’s office were fired after the breach was discovered at the end of March, according to R.J. DeSilva, the agency’s spokesperson. He declined to identify them.

“We take information security very seriously, and this type of exposure will not happen again,” Combs said in a written statement.

The exposed details also included information on 1.2 million education employees and retirees from the Teacher Retirement System of Texas, the Texas Workforce Commission’s 2 million residents, and the Employees Retirement System of Texas’ 281,000 state employees and retirees. Data included current and former state agency employees with benefits and retired state employees who were in the system in April 2010.

The information from the three systems was transferred to the comptroller’s office for use in verifying unclaimed property records as required under state law, Combs said. The files were not encrypted, even though all data files transferred to the comptroller are required to be. The data was embedded in a chain of numbers and not stored in separate data fields.

“Encrypting records before data transfer could have saved the Texas Comptroller’s office a lot of headaches and expense," Robert J. Scott, managing partner of intellectual property and technology law firm Scott & Scott, told eWEEK.

The exposed data was discovered March 31 when other folders were being scanned on the FTP server used to transfer files, which is not accessible through the comptroller’s main Website. The publicly available FTP server contained other files containing public information such as state contracts and responses to requests for public information.

For more, read the eWEEK article: Personal Data for 3.5 Million Texans Exposed on State Comptroller Server.

CIO Insight Staff Avatar