The Texas state comptroller's office has already spent $1.8 million to mitigate the yearlong data breach in which names and Social Security numbers were exposed. The total cost is expected to be even higher as the lawsuits start rolling in.
Personal information belonging to approximately 3.5 million people in Texas was accidentally exposed on a publicly accessible FTP server for a full year before it was detected, Texas comptroller Susan Combs disclosed on March 31. Since then, the comptroller's office has spent $1.2 million to mail letters to those affected and $393,000 for a call center to handle calls from people looking for information and assistance. Another $290,000 went to Deloitte Consulting and Gartner for services related to assessing the damage and improving IT security in the comptroller's office.
Deloitte consultants were hired to determine the extent of the information exposure, and Gartner consultants will be performing an IT security risk assessment of the Comptroller's Office. They will "examine information-security policies and procedures at the agency from an outside perspective," according to the comptroller's office.
Deloitte has confirmed that no additional confidential information has been exposed, according to the office. Gartner's assessment will identify opportunities for improvement in the agency's security and risk-management processes and will include recommendations for the future.
"I and other Texans whose personal data was potentially exposed need to feel confident that an incident like this will never happen again," Texas Comptroller Susan Combs said in a statement. "We will follow our consultants' advice and do everything in our power to ensure that information entrusted to state government is secure."
The head of innovation and technology, and the head of information security have been fired, along with two other employees, according to the statement.
Those whose personal information was exposed are eligible to receive discounts for fraud-related assistance, including credit monitoring, Social Security number protection, Internet surveillance and $10,000 in identity theft insurance from Experian and CSIdentity Protector.
While no one has filed lawsuits related to the breach yet, that remains a possibility. The Texas Civil Rights Project and a lawyer representing one of the victims filed a pre-suit investigation petition on April 26. The petition asked for a deposition from Combs, and is generally the first step before a lawsuit is filed.
The deposition seeks to determine who was responsible for the breach, what procedures were followed and violated, what steps are being taken to prevent this in the future, and what the exact costs are, according to Chuck Herring, a lawyer for Sarah Canright, a teacher affected by the breach.
"The incomplete, misleading statements issued by Comptroller Combs and the Comptroller's Office to date raise more questions than they answer. Texans deserve to know the truth concerning how this illegal and unconstitutional invasion occurred," the lawyers wrote in the court documents.
In 2009, the Department of Veteran Affairs settled a class action lawsuit brought after a laptop containing names, dates of birth and Social Security numbers of 26.5 million current and former military personnel was stolen. The agency paid $20 million.
A recent Ponemon Institute report noted that the average cost of "remedying" a data breach was around $7.2 million. The same report also warned that organizations that move quickly to disclose and repair the breach, as the Texas comptroller's office is, tended to spend 54 percent more per record than the slow-reacting organizations.
The information from the TRS (Teacher Retirement System) of Texas, the Texas Workforce Commission and the ERS (Employees Retirement System) of Texas were left on a public FTP server when they should have been secured immediately. The files also weren't encrypted as required by Texas administrative rules, and other internal procedures weren't followed, Combs said.
Scammers have already taken advantage of the breach, as there have been cases of victims receiving phone calls at home wanting to confirm their personal information. In one scam, the caller identified himself as "Mike with ERS" and said he wanted to confirm the last four digits of the call recipient's Social Security number. When an employee refused to provide the information, "Mike" reportedly said, "Good luck to you," and disconnected.
ERS, TRS and the Texas Workforce Commission have said they are not making any phone calls.
The comptroller's office started sending out letters April 13 informing Texans about the breach
The Texas Attorney General's office and the FBI have not yet completed their investigation.