Unencrypted personal records of 3.5 million Texans were left exposed for more than a year after they were copied onto a public FTP server, said the Texas comptroller.
Texas Comptroller's Office has disclosed that sensitive personal information
belonging to at least 3.5 million residents haw been accidentally exposed,
adding more uncertainty about phishing attacks and identity theft to people
already jittery after Epsilon
Security numbers, birthdates, driver's license numbers, addresses and other
personal information belonging to 3.5 million residents were posted to a
publicly available server, Susan Combs, the Texas comptroller, said April 11.
Most of the information was available for more than a year, but there was no
indication that any of the information had been misused, Combs said.
undisclosed number of employees in the comptroller's office were fired after
the breach was discovered at the end of March, according to R.J. DeSilva, the
agency's spokesperson. He declined to identify them.
take information security very seriously, and this type of exposure will not
happen again," Combs said in a written statement.
exposed details also included information on 1.2 million education employees
and retirees from the Teacher Retirement System of Texas, the Texas Workforce
Commission's 2 million residents, and the Employees Retirement System of Texas'
281,000 state employees and retirees. Data included current and former state
agency employees with benefits and retired state employees who were in the
system in April 2010.
information from the three systems was transferred to the comptroller's office
for use in verifying unclaimed property records as required under state law,
Combs said. The files were not encrypted, even though all data files
transferred to the comptroller are required to be. The data was embedded in a
chain of numbers and not stored in separate data fields.
records before data transfer could have saved the Texas Comptroller's office a
lot of headaches and expense," Robert J. Scott, managing partner of
intellectual property and technology law firm Scott & Scott, told eWEEK.
exposed data was discovered March 31 when other folders were being scanned on
the FTP server used to transfer files, which is not accessible through the
comptroller's main Website. The publicly available FTP server contained other
files containing public information such as state contracts and responses to
requests for public information.
personal data has since been moved to a more secure location, Combs said.
as it has taken a year to discover the error, it will probably take awhile
before the true effect of this mistake will be known. Hopefully, the
individuals involved will have no ill effects," said Scott.
information breach is believed to be the most extensive ever in Texas and one
of the largest nationally. Since Epsilon still has not disclosed how many
consumers were affected by its data
, it is not clear how the incidents compare in size.
incident is highly embarrassing for Combs, who has been outspoken in her
efforts to keep data private. Combs won a victory in December when the Texas
Supreme Court ruled that the dates of birth of about 145,000 state employees
were protected because their release would be a "clearly unwarranted invasion
of personal privacy." That decision came after The Dallas Morning News
requested an updated state payroll database with birth dates.
is pending in Texas legislature to make birth dates public and to let state
employees opt to release personal information other than Social Security
numbers. Combs has opposed the proposal and released a report in December
called "Protecting Texans' Identities."
the data was in the hands of the comptroller, internal procedures were not
followed, which caused the information to be left on a server accessible to the
public and not be purged as required by internal procedures, according to the
Texas attorney general's office and the FBI are investigating this incident.
comptroller's office will be sending out letters to those affected on April 13.
Concerned Texas state employees and residents can get more information from
TXsafeguard.org and the toll-free number (855) 474-2065.