Kelley Shannon reports:
Texas Comptroller Susan Combs revealed Monday that the personal information of 3.5 million people has been inadvertently disclosed by her agency, making Social Security numbers, dates of birth and other data accessible to the public.
The information was available on a publicly accessible computer server and included data transferred by the Teacher Retirement System of Texas, the Texas Workforce Commission and the Employees Retirement System of Texas.
Combs said that on Wednesday her office will begin sending letters to notify those affected by the data breach, which is thought to be the largest in Texas history.
Read more on Dallas News.
The Comptroller’s Office has issued a press release today:
The Texas Comptroller’s office is sending letters beginning Wednesday, April 13, to notify a large number of Texans whose personal information was inadvertently disclosed on an agency server that was accessible to the public. The records of about three and a half million people were erroneously placed on the server with personally identifying information.
There is no indication the personal information was misused.
“I deeply regret the exposure of the personal information that occurred and am angry that it happened,” Texas Comptroller Susan Combs said. “I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered and was then moved to a secure location. We take information security very seriously and this type of exposure will not happen again.”
The records contained the names and mailing addresses of individuals. The records also included Social Security numbers, and to varying degrees also contained other information such as dates of birth or driver’s license numbers – all the numbers were embedded in a chain of numbers and not in separate fields.
The information was in data transferred by the Teacher Retirement System of Texas (TRS), the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas (ERS).
The TRS data transferred in January 2010 had records of 1.2 million education employees and retirees. The TWC data transferred in April 2010 had records of about 2 million individuals in their system. And the ERS data transferred in May 2010 had records of approximately 281,000 state employees and retirees.
The data files transferred by those agencies were not encrypted as required by Texas administrative rules established for agencies. In addition to that, personnel in the Comptroller’s office incorrectly allowed exposure of that data. Several internal procedures were not followed, leading to the information being placed on a server accessible to the public, and then being left on the server for a long period of time without being purged as required by internal procedures. The mistake was discovered the afternoon of March 31, at which time the agency began to seal off public access to the files. The agency has also contacted the Attorney General’s office to conduct an investigation on the data exposure and is working with them.
The information was required to be transferred per statute by these agencies and used internally at the Comptroller’s office as part of the unclaimed property verification system.
The Comptroller views the protection of personal information as a serious issue. She will be working with the Legislature to advance legislation to enhance information security as outlined in the Protecting Texans’ Identities report she released in December. This would include the designation of Chief Privacy Officers at each agency as well as the creation of an Information Security Council in the state.
The agency has set up an informational website for individuals at www.TXsafeguard.org to provide additional details and recommended steps and resources for protecting identity information.
And beginning tomorrow, Tuesday April 12, a special toll free phone line at 1-855-474-2065 will also be available for individuals to call. People will be able to check if they are receiving a notification letter by calling that toll free phone line. The toll free line will be open 24-hours a day for the first week.
It is not just the Comptroller’s Office lack of expertise in appropriately handling the files; what about TWC, ERS and TRS? If the requirement was that the files be encrypted prior to transmission, why was this requirement not met? Those who failed to do so should be fired as well from those three organizations.
As for “– all the numbers were embedded in a chain of numbers and not in separate fields.” This doesn’t matter. Pattern matching programs could crack that in a matter of minutes. This is very serious.
This is the second time that Susan Combs has headed a group that had a massive data breach. As Comptroller, she sits on the board of directors of the Texas Guaranteed Student Loan Corporation that lost the personal information of 1.3 million folks in 2006. Texas legislators refused to enable citizens victimized by the breaches caused by the TGSLC, and now Susan’s own Comptroller’s office, to get a FREE credit freeze. The website that Combs set up is a joke; the folks at the call center are appalling. If you are a victim of this breach, first demand that Combs and the agencies involved fully answer your questions, second DEMAND that your state legislator enable Texans to get a FREE credit freeze if they recieve a written notification of a data breach (right now, you have to have a police report; you can’t get a police report in the Comptroller’s breach situation.) Third, NEVER, EVER, EVER vote for Susan Combs.