The Texas Comptroller’s Office is issuing letters Wednesday to some 3.5 million citizens after personally identifiable data was left exposed to the public on a state server for more than a year, according to a published statement.
The exposed data included the names, addresses and Social Security Numbers and driver’s license numbers of citizens, many of them current and former State employees. It was retained as part of a State unclaimed property verification system and was left exposed on a server belonging to the Comptroller after being transferred by other State agencies, according to a statement by State Comptroller Susan Combs on April 11.
“I deeply regret the exposure of the personal information that occurred and am angry that it happened,” Texas Comptroller Susan Combs said in the statement. “I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered and was then moved to a secure location. We take information security very seriously and this type of exposure will not happen again.”
Some 1.2 million records related to state education employees and retirees from the Teacher Retirement System of Texas were exposed on the insecure server since January 2010. Data on an additional 2 million citizens from the Texas Workforce Commission was transferred to the Comptroller in April, 2010. A final batch of 281,000 records from the Employees Retirement System was transferred to the Comptroller server in May, 2010. In each case, the data was left unencrypted on the server, which was accessible to the public, until the oversight was detected on March 31.
The Texas Comptroller’s Office said it has no evidence the data was stolen or misused. Still, the agency has set up a website has and toll free phone line (1-855-474-2065) to provide additional details and recommended steps and resources for protecting identity information.
Texas administrative rules require data transfers by agencies to be encrypted, however the agencies transferring the data did not abide by that rule. There were other “internal procedures” that were also not followed, including those about purging data after electronic transfers, that resulted in the data being exposed for more than a year, the Comptroller said.
Despite the focus on malware infections and hacking, human error is a frequent source of data breaches. In the most recent Verizon Data Breach Report found that 62% of breaches were attributed to human error.