Millions of Texans' data left exposed

Texas Comptroller Susan Combs speaks during a news conference Monday, Jan. 12, 2009, in Austin, Texas. She says Texas revenue will drop about $9 billion in the next two-year spending cycle. The grim news comes the day before lawmakers convene in Austin for this year's legislative session. The revenue estimate covers the 2010-2011 fiscal years and is based mostly on sales tax forecasts. less Texas Comptroller Susan Combs speaks during a news conference Monday, Jan. 12, 2009, in Austin, Texas. She says Texas revenue will drop about $9 billion in the next two-year spending cycle. The grim news comes ... more Photo: Harry Cabluck, AP Photo: Harry Cabluck, AP Image 1 of / 24 Caption Close Millions of Texans' data left exposed 1 / 24 Back to Gallery

AUSTIN — The Texas attorney general and the FBI are reviewing a breach in Internet security at the state comptroller's office that exposed the personal information, including Social Security numbers, of 3.5 million Texans for more than a year.

State Comptroller Susan Combs announced Monday that a routine screening of computer files discovered that the information was left on an agency server accessible to the public because of mistakes made at her agency and three others.

“I deeply regret the exposure of the personal information that occurred and am angry that it happened,” Combs said. “I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered and was then moved to a secure location. We take information security very seriously, and this type of exposure will not happen again.”

Combs' office will begin sending letters Wednesday to inform affected Texans of the breach, which included their names, addresses, Social Security numbers and, in some cases, dates of birth and driver's license numbers. She emphasized that her office has no indication that the exposed data had been accessed or misused in any way.

Jerry Strickland, spokesman for Attorney General Greg Abbott's office, said forensic experts in the cybercrimes unit will be working with the FBI “to determine access points” of the computer files.

The blunder occurred as the comptroller's office was attempting to return unclaimed cash and other abandoned assets to their rightful owners. In that endeavor, the agency asked the Teacher Retirement System, the Employee Retirement System and the Texas Workforce Commission for information on people in their computer systems. That effort was a success: some 78,842 people were invited to claim $41.5 million in property, comptroller spokesman Allen Spelce said.

According to Spelce, state agencies are supposed to encrypt sensitive information before transferring files, but that procedure was not followed. Compounding the error, the comptroller's office failed to follow its internal policies for purging such files on a weekly basis.

“We found it out during a security scan of some folders. We had procedures in place, but unfortunately, due to human error, they weren't followed,” Spelce said. “The people responsible for this lapse are no longer with the agency.” He declined to say how many employees were involved.

Mary Jane Wardlow, a spokeswoman for the ERS, said her agency sent the data in “the secure format prescribed” in a 2009 interagency contract.

Howard Goldman, a spokesman for the TRS, also said his agency “transmitted the data in question in a secure manner through secure file transfer protocol, and its receipt was acknowledged shortly afterwards by the comptroller's office.”

Officials at the ERS, TRS and TWC first learned of the breach when they were summoned to Combs' office early Monday for a briefing.

Spelce acknowledged that Combs' office first learned of the problem at 5:15 p.m. March 31 when attempting to locate the source of spam received by a vendor. A search of all transferred files was begun the next day. The office spent the weekend removing and securing the data in another location, he said.

On the following Monday, the comptroller's office began an internal investigation to determine the cause and extent of the problem. The attorney general's office joined the inquiry Wednesday.

Spelce said the comptroller's office spent the weekend establishing a website, TXsafeguard.org, which outlines procedures for affected Texans to follow if they are notified that their information was compromised. Those affected are urged to contact national credit bureaus and closely monitor “financial profiles for signs of theft and other misuse.”

Beginning today, the public also can call a number established by Combs' office, 855-474-2065, to seek further assistance.

The vulnerable data involved TRS information on 1.2 million education employees and retirees, TWC records of 2 million people and ERS information on 281,000 state employees and retirees.

Combs has endorsed legislation enhancing information security, including a proposal that each agency designate a chief privacy officer and another to create a state Information Security Council.