Texans like to say that everything is big in Texas. Well, they've got something new to brag about now.
According to the Dallas Morning Star, Comptroller Susan Combsdisclosed yesterday that names, addresses and Social Security numbers - and in some instances, the driver licenses and date of birth - of some 3.5 million persons were inadvertently left on a "publicly accessible state computer server for a year or longer" that her office uses to verify unclaimed property records.
The Comptroller refused to say whether there is evidence that the data had been downloaded while it was accessible, but did point out that there has been no evidence of anyone having their identity stolen as a result.
How she would know whether that is true is beyond me, since the state hasn't yet notified anyone involved that their identity might have been taken as a result of this breach in security.
The FBI and the Texas Attorney General have already launched an investigation into the incident and those identified as responsible have already been fired. The paper reported that the information was not encrypted as required, and that the internal procedures concerning the proper handling and safeguarding of the data, including its removal after it was used, also were not followed.
The security hole was discovered on the 31st of March "when other folders were being scanned in the server," Morning Star reported.
The Dallas Morning Star also stated that:
"The information was data from the Teacher Retirement System of Texas covering 1.2 million education employees and retirees that was transferred to the comptroller’s office in January 2010; Texas Workforce Commission records on 2 million people that was transferred in April 2010; and Employees Retirement System of Texas data covering 281,000 state employees and retirees, transferred in May 2010."
The Comptroller's office will begin sending out letters explaining what happened to those affected on Wednesday. It has also set up an informational web site at www.TXsafeguard.org. Basically, the information there says to be diligent for possible "misuse" of your personal data.
The state is not offering any free credit monitoring services or the like because it has no money to do so.
The Comptroller, per usual, stated that:
"We take information security very seriously, and this type of exposure will not happen again."
One wonders if that is Texas-sized "seriously" or a regularly-sized "seriously"?
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.