State of Texas exposes data on 3.5 million people

Filed Under: Data loss, Featured, Privacy

Susan CombsSusan Combs, Comptroller for the state of Texas announced a massive data leak that resulted in 3.5 million people's social security numbers, names, addresses and in some cases their birth date and drivers license number being exposed.

Unlike private companies who have had large releases of PII (Personally Identifiable Information) recently, the state of Texas is not providing credit monitoring or other services for the victims of their mistake. They are simply providing sage advice...

The Comptroller's office discovered on the afternoon of March 31st, 2011 that they had inadvertently placed the private information of the Teacher Retirement System of Texas (TRS), the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas (ERS) on an internet accessible server.

The data was not encrypted, which is a breach of policy, as well and having bypassed several other policy rules within the state designed to protect people's PII.

Encryption ScrabbleOften when I am talking with people at shows and seminars I ask them if they have an encryption program in place. Nearly always the answer is "Of course! We have deployed encryption to over 80% of our laptops already."

I then ask about the servers, databases and other critical storage locations of sensitive data and I see a scary look in their eyes... They usually respond with "Oh, that's OK, that information is all inside of our firewall."

As we saw with Epsilon and many others before is that sensitive data must be protected regardless of the media or location it is stored.

To learn more about what you can do, download our paper "Protecting PII: Take 8 Steps to Protect".

, ,

You might like

9 Responses to State of Texas exposes data on 3.5 million people

  1. At the risk of sounding paranoid, were all these employees members of unions?

    • FlickDude · 1636 days ago

      We can be paranoid together...I had the exact same question. :-)

      • dacree · 1614 days ago

        I am one of the 3.5mil. So, to answer your question - no. Not only am I not an employee of the state of Texas or a public servant, I am also not a union member.

  2. Ernest Warren · 1636 days ago

    Is the State of Texas so naive as to think just providing guidelines will cover up their "mistake"? I work in an Outsourced Call Center and part of that job is to take calls and enroll customers in free Identity protection from leaks like this. It is one of the lead ID Theft protection company's out there. If I were affected I would get that protection and bill Texas for it since it was their mistake in the first place.

  3. Bob · 1636 days ago

    Interesting! Had this been a corporation they would have had the State and Federal government all over them and would most likely be looking at fines in the hundreds of thousands if not millions of dollars. Not to mention they would be forced to provide free credit reporting to the compromised individuals for 5 - 10 years and would have regulators crawling throughout their business for the next 15 - 20 years. None of which do I disagree with, but seems like there might be a double standard here.

    Of course we do not know the extent of external access to the data or how the faux pas was discovered so my comments could be way off base.

  4. Willys · 1636 days ago

    I want to know the name of the top dog responsible and assurance from the state that the imbecile has been fired, without benefit.

  5. TIERS · 1636 days ago

    I work for the State of Texas and I'm not a Union member. Yesterday we were having system issues and management informed us they were installing a new firewall. A little too late..... Also, they did not explain about the above story in our meeting....

  6. jericho · 1636 days ago

    They should be providing monitoring for free and no we are not unionized in Texas. We are just stuck with the stupidity of those who run the system!!

  7. This is huge! Why does she have such a huge smile on her face? If I was running stuff in Texas I would first slap that Joker-like smile of her face then FIRE everyone! Is she aware that San Antonio, TX is claiming to be Cyber City USA? Someone should tell her that this is an EPIC FAIL for the entire state of Texas. There goes their campaign to be tapped as Cyber City USA. They should stop chasing federal paper and pay a Cybersecurity specialist to encrypt their residents data. Cheap assholes. If you participate in immoral or unethical behavior you will be exposed and your secrets will be put on the Internet. By remaining complacent about their security posture the state's residents paid the ultimate price. Now they get to deal with identity theft issues for the rest of their lives. Well done Texas to you my glass rises! NOT!! #EPICFAIL

    Joe Black CISSP NSA-4011 CISM Security+
    Certified Ethical Hacker

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on as Chester, Chester Wisniewski on Google Plus or send him an email at