The information posted publicly included names, addresses, social security numbers, birth dates, and driver’s licenses. The data breach is believed to be the largest in Texas history and one of the largest nationwide, according to the Dallas Morning News.
Many of those affected by the data breach are state employees and retirees. Combs explained that the unencrypted data was transferred to her office’s server by the Teacher Retirement System of Texas, the Texas Workforce Commission, and the Employee Retirement System of Texas as part of the unclaimed property verification system. The transfer of unencrypted personal information is a violation of Texas administrative rules, she stressed.
“I deeply regret the exposure of the personal information that occurred and am angry that it happened”, Combs said in a statement. “I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered and was then moved to a secure location. We take information security very seriously and this type of exposure will not happen again.”
Combs explained that the unencrypted data was left on the agency’s server “for a long period of time without being purged as required by internal procedures.” Despite being discovered March 31, the data breach was not disclosed by her office until April 11.
The Texas Attorney General’s office was notified and is conducting an investigation into the data breach.
The Comptroller’s office fired a number of employees after the breached was discovered, an agency spokesman told the newspaper.
Commenting on the breach, Phil Lieberman, managing director of Lieberman Software, said that the incident demonstrates the dangers of failing to use high-level information security and audit controls for sensitive data.
The agency’s admission that unencrypted data was passed from agency to agency resulted in a "classic case of too many people having access”, Lieberman said, adding that the data breach could cost the state “billions in legal payouts if hackers get hold of the data.”