Down in Texas, they like to talk about doing things big. Apparently, that extends to security screw-ups, too. According to an article at the ThreatPost security blog, published by Kaspersky Labs, the Texas Comptroller’s office apparently lost track of some individuals’ data.
The Texas Comptroller’s Office is issuing letters Wednesday to some 3.5 million citizens after personally identifiable data was left exposed to the public on a state server for more than a year, according to a published statement. The exposed data included the names, addresses and Social Security Numbers and driver’s license numbers of citizens, many of them current and former State employees.
Apparently the data, which was intended for use in a system to track unclaimed property, had been transferred from other state agencies, put on a server at the Comptroller’s Office, and then forgotten. The bulk of the data came from the Texas Workforce Commission, the Teacher Retirement System of Texas, and the Texas Employees’ Retirement System. According to the article, the state’s administrative rules specify that any data to be transferred like this should first be encrypted, but that rule was apparently ignored, along with other unspecified internal procedures.
The agency is, of course, playing down the importance of the incident, although they have set up a mechanism for citizen inquiries.
The Texas Comptroller’s Office said it has no evidence the data was stolen or misused. Still, the agency has set up a website has and toll free phone line (1-855-474-2065) to provide additional details and recommended steps and resources for protecting identity information.
All of us that are involved in security issues spend a good deal of time talking about technical issues, software flaws, and other esoterica. We all need to remember that good old-fashioned, garden-variety incompetence and stupidity are the biggest security threats of all.