State of Texas in epic data leak fail

The Texas state comptroller has confirmed a massive data leak that inadvertently exposed the social security numbers, names, addresses and birth dates of 3.5 million people.

To make matters even worse, the Lone Star State is refusing to provide credit monitoring or other services for the victims.

So, how did the embarrassing SNAFU occur?

Well, it seems as if the Comptroller’s office mistakenly placed the private information of the Teacher Retirement System of Texas (TRS), the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas (ERS) on an Internet accessible server.


In addition, the office breached protocol by failing to encrypt the data.

As Chester Wisniewski notes, the data leak could have perhaps been slightly mitigated if the sensitive information had been encrypted as mandated by state law.

“[When] I ask about the [encryption of] servers, databases and other critical storage locations of sensitive data, I see a scary look in [people’s eyes]. They usually respond with ‘Oh, that’s OK, that information is all inside of our firewall,” Sophos security expert Chester Wisniewski wrote in a blog post.

“[But] as we saw with Epsilon and many others before is that sensitive data must be protected regardless of the media or location it is stored.”