Breach, Data Security, Encryption

Texas breach affects millions of state employees, retirees

The Texas comptroller's office on Wednesday will begin notifying millions of state employees and retirees that their unencrypted personal data was inadvertently posted to a publicly accessible server, where it remained for an extended period of time.

The names, addresses, Social Security numbers, birth dates and, in some cases, driver's license numbers of approximately 3.5 million individuals were posted to a public FTP server used to transfer files, the comptroller's office said Monday. Three state agencies had transferred the data to the server for use by the comptroller's office as part of the unclaimed property verification system.

Much of the information remained on the server for more than a year. However, the server was not accessible from the comptroller's main website, and there is no reason to believe that the data was misused, Allen Spelce, spokesman for the comptroller's office, told SCMagazineUS.com on Tuesday.

The data included 1.2 million records of education employees and retirees maintained by the Teacher Retirement System of Texas, two million records maintained by the Texas Workforce Commission and 281,000 records of state employees and retirees maintained by the Employees Retirement System of Texas.

Those agencies violated the state's administrative rules by failing to encrypt the data before transferring it to the server, officials said.

In addition, comptroller's office employees failed to follow some “fairly simple” internal procedures, leading to the exposure, Spelce said. Workers had been instructed to set up a system to automatically purge any file posted to the server after one week, but never did. The employees also failed to manually double-check that files sent from other agencies were encrypted.

“The employees responsible for this were let go on Monday,” Spelce said. He would not say how many employees were let go, or whether anyone from the other agencies was fired.

The breach was discovered March 31, and the information was quickly removed from the server and moved to a secure location, he added.

“I deeply regret the exposure of the personal information that occurred, and am angry that it happened,” Texas Comptroller Susan Combs said in a statement. “We take information security very seriously, and this type of exposure will not happen again.”

Because the FTP server was publicly accessible, meaning anyone could view its contents without entering a username and password, someone would just need to know the FTP address to access all the data, Todd Feinman, CEO of Identity Finder, a data leakage prevention software maker, told SCMagazineUS.com on Tuesday.

A casual web surfer likely would not have come across the information, but it is possible, he said. Further, cybercriminals often try to harvest data from publicly accessible FTP sites, especially belonging to state government and higher education institutions.

“The risk is that someone came across it on their own – through working with [the comptroller's office] or through other web-crawling means,” Feinman said. “It is possible that the information would have been easily stumbled upon by automated programs developed by people to find this information.”

The comptroller's office has conducted an internal review and is working to improve its systems to ensure a similar incident does not recur, Spelce said.

The agency is considering implementing software that would automatically encrypt data received from other state agencies, he said. Also, it is considering setting up a separate FTP site for confidential information.

“Right now, we put public and confidential information all on one site,” Spelce said.

The agency has established a website and hot line to provide additional details about the breach and resources for protecting personal information.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.