Texas Comptroller takes blame for major breach

Breach that exposed social security numbers of 3.5 million Texans has already led to firing of two IT execs

Days after firing two IT managers after a data breach exposed the Social Security numbers and other personal data of over 3.5 million Texans, Texas Comptroller Susan Combs took personal responsibility for the incident.

In a statement issued by her office on Thursday, Combs apologized for the debacle and said her office would cover the cost of identity monitoring and restoration services for anyone affected by the breach.

The free credit monitoring services are available starting today.

"I am deeply sorry this incident occurred and I take full responsibility for it," Combs said in the statement. "This incident has affected the lives of Texans that I have dedicated my life to serving, and I am determined to restore their faith in the Comptroller's office."

Earlier this month, Combs' office disclosed that Social Security numbers, driver's license numbers, and names and addresses of more than 3.5 million Texas residents had been inadvertently exposed on a publicly accessible Web site for nearly a year.

The exposed data was included in files sent to the State Comptroller's office by the Teacher Retirement System (TRS) of Texas, the Texas Workforce Commission and the Employees Retirement System of Texas (ERS) for use in a property verification system. The data was mistakenly sent unencrypted to the Comptroller's office.

Following the discovery of the breach, the heads of information security and of innovation and technology at the Comtroller's office were fired, and consulting firm Deloitte and Gartner was hired to review its security measures and recommend changes.

Combs also said that her office will be implementing a series of additional measures -- including the installation of new data leak prevention software and an enhanced file transfer system featuring robust encryption capabilities -- to mitigate the chances of a similar incident.

The Comptroller's office will also be adding staff, including a new chief privacy officer, and reorganizing internal reporting structures to strengthen security, she said. The chief privacy officer will work with the office's CTO, information security officer and internal auditor to shore up privacy practices, Combs added.

The breach has already cost the Comptroller's office more than $1.8 million and could end up costing a a whole lot more, according to reports.

So far, the state has spent $1.2 million on sending out notification letters, close to $300,000 for Gartner and Deloitte's services and another $393,000 to set up a call center for handling queries from those affected by the breach, according to The Austin American-Statesman's statesman.com Web site.

In addition, the Web site noted that the identity monitoring service being offered by Combs' office could cost up to $21 million if everybody enrolled in it. Combs has stated that she will bear the cost of identity restoration services from her own campaign funds, the publication noted.

Combs' office did not respond to a request to confirm the estimated costs listed on statesman.com.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityprivacy

More about AssistGartnerTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts