14 DAY TRIAL // The Office of the Texas Comptroller is in the process of notifying 3.5 million individuals that their personal information was exposed after being stored on a publicly accessible server.
The compromised records contained names, mailing addresses, dates of birth, driver's licence numbers and Social Security numbers, more than enough to fall within the category of protected personally identifiable information (PII).
The data was transferred to the Comptroller's office by the Teacher Retirement System of Texas (TRS), the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas (ERS).
It was publicly accessible for over a year, from January 2010 until March 21 when the problem was discovered.
"I deeply regret the exposure of the personal information that occurred and am angry that it happened," Texas Comptroller Susan Combs said.
"I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered and was then moved to a secure location.
We take information security very seriously and this type of exposure will not happen again," she added.
Several factors contributed to the breach. First, the data was transferred by organizations to the Comptroller's office in unencrypted form, contrary to the Texas administrative rules established for agencies.
Second, the office's employees failed to follow several internal procedures, in the first place by allowing the data to be stored in a publicly accessible location and then by not purging it after it served its purpose.
There is currently no evidence to suggest the exposed data was misused, but the Attorney General’s office has been notified and has launched an investigation into the incident.
The Comptroller's office set up a special website with more details about the breach, as well as recommendations for those affected. A toll free phone line was also opened at 1-855-474-2065.