As David Harley blogged earlier, the Comptroller of Public Accounts office for the state of Texas yesterday began notifying state employees that the names, addresses, social security numbers and other records of some 3.5 million current or former state employees had been accessible via the Internet.
Unlike the earlier Epsilon Data Management data breach, it seems no names and email addresses were disclosed, so the affected Texas employees probably do not have to worry about spam in their mailboxes. More worryingly, though, is that names, addresses and social security numbers are the type of personally identifiable information criminals need for identity theft.
In this case, there is no evidence, so far, that the records were accessed and used for malicious activity, despite being accessible for perhaps as long as a year. Texas does have laws about encrypting personally identifiable information, and it will be interesting to follow the state comptroller's investigation to find out why this information was not stored securely and how it managed to be available for so long on the agency's servers.
Aryeh Goretsky, MVP, ZCSE
Author Aryeh Goretsky, ESET