Security Experts:

Texas Comptroller’s Office Left Unencrypted Data of 3.5 Million on Publicly Accessible Server

The Texas Comptroller’s office said today that records containing personally identifying information of about 3.5 million Texans were left exposed on an agency server that was accessible to the public. The records contained the names and mailing addresses of individuals.

The records also included Social Security numbers, and also contained other information such as dates of birth or driver’s license numbers. The office said that all the numbers were embedded in a chain of numbers and not in separate fields. Despite being required by Texas administrative rules established for agencies, the exposed data was not encrypted. The Comptroller’s office also admitted that internal procedures were not followed, leading to the information being left on the server for a long period of time without being purged as required by internal procedures.

The agency discovered the mistake on March 31, and began to seal off public access to the files as quickly as possible.  leading to the information being placed on a server accessible to the public, and then being left on the server for a long period of time without being purged as required by internal procedures The agency has also contacted the Attorney General’s office to conduct an investigation on the data exposure.

The exposed information was in data transferred by the Teacher Retirement System of Texas (TRS), the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas (ERS). The TRS data transferred in January 2010 had records of 1.2 million education employees and retirees. The TWC data transferred in April 2010 had records of about 2 million individuals in their system. And the ERS data transferred in May 2010 had records of approximately 281,000 state employees and retirees.

The agency is sending letters beginning Wednesday, April 13, to notify a large number of Texans whose personal information was inadvertently disclosed and has set up an informational website for individuals at to provide additional details and recommended steps and resources for protecting identity information. Additionally, beginning tomorrow, Tuesday April 12, a special toll free phone line at 1-855-474-2065 will also be available for individuals to call.

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.