Personal Data for 3.5 Million Texans Exposed on State Comptroller Server

Unencrypted personal records of 3.5 million Texans were left exposed for more than a year after they were copied onto a public FTP server, said the Texas comptroller.

The Texas Comptroller's Office has disclosed that sensitive personal information belonging to at least 3.5 million residents haw been accidentally exposed, adding more uncertainty about phishing attacks and identity theft to people already jittery after Epsilon.

Social Security numbers, birthdates, driver's license numbers, addresses and other personal information belonging to 3.5 million residents were posted to a publicly available server, Susan Combs, the Texas comptroller, said April 11. Most of the information was available for more than a year, but there was no indication that any of the information had been misused, Combs said.

An undisclosed number of employees in the comptroller's office were fired after the breach was discovered at the end of March, according to R.J. DeSilva, the agency's spokesperson. He declined to identify them.

"We take information security very seriously, and this type of exposure will not happen again," Combs said in a written statement.

The exposed details also included information on 1.2 million education employees and retirees from the Teacher Retirement System of Texas, the Texas Workforce Commission's 2 million residents, and the Employees Retirement System of Texas' 281,000 state employees and retirees. Data included current and former state agency employees with benefits and retired state employees who were in the system in April 2010.

The information from the three systems was transferred to the comptroller's office for use in verifying unclaimed property records as required under state law, Combs said. The files were not encrypted, even though all data files transferred to the comptroller are required to be. The data was embedded in a chain of numbers and not stored in separate data fields.

"Encrypting records before data transfer could have saved the Texas Comptroller's office a lot of headaches and expense," Robert J. Scott, managing partner of intellectual property and technology law firm Scott & Scott, told eWEEK.

The exposed data was discovered March 31 when other folders were being scanned on the FTP server used to transfer files, which is not accessible through the comptroller's main Website. The publicly available FTP server contained other files containing public information such as state contracts and responses to requests for public information.

The personal data has since been moved to a more secure location, Combs said.

"Just as it has taken a year to discover the error, it will probably take awhile before the true effect of this mistake will be known. Hopefully, the individuals involved will have no ill effects," said Scott.

The information breach is believed to be the most extensive ever in Texas and one of the largest nationally. Since Epsilon still has not disclosed how many consumers were affected by its data breach, it is not clear how the incidents compare in size.

The incident is highly embarrassing for Combs, who has been outspoken in her efforts to keep data private. Combs won a victory in December when the Texas Supreme Court ruled that the dates of birth of about 145,000 state employees were protected because their release would be a "clearly unwarranted invasion of personal privacy." That decision came after The Dallas Morning News requested an updated state payroll database with birth dates.

Legislation is pending in Texas legislature to make birth dates public and to let state employees opt to release personal information other than Social Security numbers. Combs has opposed the proposal and released a report in December called "Protecting Texans' Identities."

Once the data was in the hands of the comptroller, internal procedures were not followed, which caused the information to be left on a server accessible to the public and not be purged as required by internal procedures, according to the office.

The Texas attorney general's office and the FBI are investigating this incident.

The comptroller's office will be sending out letters to those affected on April 13. Concerned Texas state employees and residents can get more information from and the toll-free number (855) 474-2065.