Comptroller Acknowledges Huge Security Breach
By Bill Zeeble, KERA News
Dallas, TX – In the largest security breach in state history, the Texas Comptroller's office says it mistakenly left some 3.5 million personal files on a publicly accessible computer file. KERA's Bill Zeeble reports current and retired state employees are most at risk.
The Comptroller's office acknowledged private information like, names, addresses, Social Security and license numbers, even birthdates were exposed. Spokesperson Allen Spelce, says when discovered last month in a routine check, the information was removed to a secured site. He says staff members failed to follow safety measures and they've been let go.
Spelce: Secured, encrypted files on the FTP server should have been deleted after seven days, and they weren't deleted after seven days. They set out there over a year.
The Comptroller's office established an emergency website with information, and is staffing a 24-hour call-center to answer questions. Spelce says there's been no evidence of misuse. But attorney Matt Yarbrough, who specializes in data breach and consumer privacy, says that's a typical corporate response where companies were guilty of compromising private information.
Attorney Matt Yarbrough: The truth is they don't know and won't know until it starts showing up on consumers' credit card statements or other places or they become victims of identity fraud. A statement from Texas saying we don't believe any abuse, means they don't have enough information one way or another.
Yarbrough is especially concerned about identity theft, because private information belonging to millions of people was publicly accessible for so long.
Yarbrough: It doesn't take a lot of talent with publicly available tools that are downloadable out there, there are automated scripts that allow people to search for these sorts of vulnerabilities. Leaving that kind of information, a public site, unencrypted, I don't think that's going to pass muster of reasonable measures in any court or in most states.
Allen Spelce says the files in question came from The Teachers Retirement System, State Employees Retirement System, and the Texas Workforce Commission. For greater security, he says The Comptroller's office has now established two FTP sites.
Spelce: One's going to be set up strictly for confidential information, another's going to be set that's open to the public. We're also looking at implementing a new software program that automatically encrypts data received from any agency.
Spelce says his agency has already contacted the leading credit agencies for them to be on the look out. The Comptroller's Office will start notifying those affected beginning Wednesday. Spelce says the the Attorney General's office is also involved. That's the same office Yarbrough says has gone after numerous Texas companies for this kind of carelessness.